From dan at langille.org Sun Sep 12 07:23:32 2004 From: dan at langille.org (Dan Langille) Date: Sun Sep 12 07:23:34 2004 Subject: vuln.xml *is* XML (was Re: vuln.xml is not XML) In-Reply-To: <9E499E76-FAEC-11D8-84D2-000A95BC6FAE@FreeBSD.org> References: <7mk6vg2m15.wl@black.imgsrc.co.jp> Message-ID: <4143F4F1.28264.13A20725@localhost> On 30 Aug 2004 at 20:25, Jacques Vidrine wrote: > AFAIK, XML::Node is based on XML::Parser which is based on expat. > expat supports namespaces perfectly well, so it is surprising if the > Perl modules built on top of it do not. The VuXML parsing script has been completed. The work was done by Matthew Seaman. Yesterday I finished adding database update code to his work. FreshPorts BETA now has VuXML data. The next step is is mark commits as related to to a VuXML entry and that will enable us to provide a link. An example can be found at http://beta.freshports.org/ftp/tnftpd/ We also have to get PORTEPOCH stored. -- Dan Langille : http://www.langille.org/ From dan at langille.org Mon Sep 13 10:33:25 2004 From: dan at langille.org (Dan Langille) Date: Mon Sep 13 10:33:33 2004 Subject: Matching a name to a port Message-ID: <20040913123610.G22240@xeon.unixathome.org> I'm trying to match vuln.xml information against actual ports. To do this, I need to know how the entries in the field are derived. I first thought it might be PORTNAME. But that's not the case. I now think it might be ${PKGNAMEPREFIX}${PORTNAME}$. If am i correct, then I have some questions about the following entries. What ports do the following refer to? iaskmpd ImageMagick-nox11 ja-netscape7 libtool mod_php4-twig mpg123-esound mplayer-esound mplayer-gtk mplayer-gtk-esound mysql-client mysql-scripts mysql-server The answers may be obvious to the trained eye, but how does one write code against this? -- Dan Langille - http://www.langille.org/ BSDCan - The Technical BSD Conference: http://www.bsdcan.org/ From dan at langille.org Mon Sep 13 10:35:55 2004 From: dan at langille.org (Dan Langille) Date: Mon Sep 13 10:35:56 2004 Subject: Matching a name to a port In-Reply-To: <20040913123610.G22240@xeon.unixathome.org> References: <20040913123610.G22240@xeon.unixathome.org> Message-ID: <20040913133522.Y22240@xeon.unixathome.org> On Mon, 13 Sep 2004, Dan Langille wrote: > I'm trying to match vuln.xml information against actual ports. To do > this, I need to know how the entries in the field are derived. > > I first thought it might be PORTNAME. But that's not the case. I now > think it might be ${PKGNAMEPREFIX}${PORTNAME}$. > > If am i correct, then I have some questions about the following entries. > > What ports do the following refer to? > > iaskmpd > ImageMagick-nox11 > ja-netscape7 Please ignore ja-netscape7. I should have removed it from this list. Sorry. -- Dan Langille - http://www.langille.org/ BSDCan - The Technical BSD Conference: http://www.bsdcan.org/ From nectar at FreeBSD.org Mon Sep 13 10:48:08 2004 From: nectar at FreeBSD.org (Jacques A. Vidrine) Date: Mon Sep 13 10:48:12 2004 Subject: Matching a name to a port In-Reply-To: <20040913123610.G22240@xeon.unixathome.org> References: <20040913123610.G22240@xeon.unixathome.org> Message-ID: <20040913174748.GC71191@madman.celabo.org> On Mon, Sep 13, 2004 at 01:33:22PM -0400, Dan Langille wrote: > I'm trying to match vuln.xml information against actual ports. To do > this, I need to know how the entries in the field are derived. > > I first thought it might be PORTNAME. But that's not the case. I now > think it might be ${PKGNAMEPREFIX}${PORTNAME}$. ${PKGNAMEPREFIX}${PORTNAME}${PKGNAMESUFFIX} See the definition of PKGNAME in bsd.port.mk. It is PKGNAME minus the version information. > If am i correct, then I have some questions about the following entries. > > What ports do the following refer to? > > iaskmpd security/isakmpd > ImageMagick-nox11 graphics/ImageMagick > ja-netscape7 japanese/netscape7 > libtool depends, could be devel/libtool13 or devel/libtool15, or even the no-longer-existent devel/libtool or devel/libtool14 > mod_php4-twig www/mod_php4-twig > mpg123-esound > mplayer-esound > mplayer-gtk > mplayer-gtk-esound multimedia/mplayer > mysql-client > mysql-scripts > mysql-server depends, could be any of the database/mysql*-(client|scripts|server) ports. > The answers may be obvious to the trained eye, but how does one write code > against this? Ports are re-named, moved, removed. I'm not sure that it can be done exactly other than by what I suggested previously: a database of the "history" of package names. IIRC, portupgrade uses ad hoc heuristics to guess the port origin from the package name, when the ORIGIN comment is not usable for some reason. The dichotomy of package name and port origin has always been a troublesome aspect of the FreeBSD Ports collection :-( Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org From dan at langille.org Mon Sep 13 11:16:48 2004 From: dan at langille.org (Dan Langille) Date: Mon Sep 13 11:17:44 2004 Subject: Matching a name to a port In-Reply-To: <20040913174748.GC71191@madman.celabo.org> References: <20040913123610.G22240@xeon.unixathome.org> <20040913174748.GC71191@madman.celabo.org> Message-ID: <20040913135431.F22240@xeon.unixathome.org> On Mon, 13 Sep 2004, Jacques A. Vidrine wrote: > On Mon, Sep 13, 2004 at 01:33:22PM -0400, Dan Langille wrote: > > I'm trying to match vuln.xml information against actual ports. To do > > this, I need to know how the entries in the field are derived. > > > > I first thought it might be PORTNAME. But that's not the case. I now > > think it might be ${PKGNAMEPREFIX}${PORTNAME}$. > > ${PKGNAMEPREFIX}${PORTNAME}${PKGNAMESUFFIX} > > See the definition of PKGNAME in bsd.port.mk. It is PKGNAME minus the > version information. > > > If am i correct, then I have some questions about the following entries. > > > > What ports do the following refer to? Jacques: Thanks for pointing out the ports I missed. I have snipped them from the discussion so we can concentrate on the others. > > ImageMagick-nox11 > graphics/ImageMagick I see ImageMagick in the names for this vuln. Where does ImageMagick-nox11 enter the picture? > > libtool > depends, could be devel/libtool13 or devel/libtool15, or even the > no-longer-existent devel/libtool or devel/libtool14 Looking at the data: libtool 1.31.3.5_2 1.41.4.3_3 1.51.5.2 I suggest we need three package entries to cover the various FreeBSD ports which have existed. Please see the mysql suggestion below for an example of what I mean. This URL shows the libtool ports in question. http://www.freshports.org/search.php?stype=name&method=match&query=libtool&num=10&deleted=includedeleted&casesensitivity=caseinsensitive&search=Search&orderby=category&orderbyupdown=asc > > mpg123-esound We have mpg123, but no mpg123-esound. I wonder where it comes from. > > mplayer-esound > > mplayer-gtk > > mplayer-gtk-esound > > multimedia/mplayer I don't know what to do about those. The vuln has an entry for mplayer, so we'll catch that on FreshPorts, but not the other tree. > > mysql-client > > mysql-scripts > > mysql-server > depends, could be any of the database/mysql*-(client|scripts|server) ports. FreshPorts, or any other code for that matter, has no way of knowing that port this vuln entry refers to. Intuitively, yes, we know it's going to be one of mysql323-client, ysql40-client, and mysql50-client. Yes, the range entries help human eyes: 4.14.1.3 55.0.0_2 I suggest we need two packages: mysql40-client 4.04.0.20 4.14.1.1_2 mysql50-client 5.05.0.0_2 Should the entry be modified to refer explicity to > > The answers may be obvious to the trained eye, but how does one write code > > against this? > > Ports are re-named, moved, removed. I'm not sure that it can be > done exactly other than by what I suggested previously: a database > of the "history" of package names. IIRC, portupgrade uses ad hoc > heuristics to guess the port origin from the package name, when the > ORIGIN comment is not usable for some reason. > > The dichotomy of package name and port origin has always been a > troublesome aspect of the FreeBSD Ports collection :-( Moving things around isn't so much of a problem. Locating them in the first place is the issue. Later moves are not a problem. -- Dan Langille - http://www.langille.org/ BSDCan - The Technical BSD Conference: http://www.bsdcan.org/ From nectar at FreeBSD.org Mon Sep 13 11:36:48 2004 From: nectar at FreeBSD.org (Jacques A. Vidrine) Date: Mon Sep 13 11:37:34 2004 Subject: Matching a name to a port In-Reply-To: <20040913135431.F22240@xeon.unixathome.org> References: <20040913123610.G22240@xeon.unixathome.org> <20040913174748.GC71191@madman.celabo.org> <20040913135431.F22240@xeon.unixathome.org> Message-ID: <20040913183627.GG71191@madman.celabo.org> On Mon, Sep 13, 2004 at 02:16:37PM -0400, Dan Langille wrote: > On Mon, 13 Sep 2004, Jacques A. Vidrine wrote: > > > On Mon, Sep 13, 2004 at 01:33:22PM -0400, Dan Langille wrote: > > > I'm trying to match vuln.xml information against actual ports. To do > > > this, I need to know how the entries in the field are derived. > > > > > > I first thought it might be PORTNAME. But that's not the case. I now > > > think it might be ${PKGNAMEPREFIX}${PORTNAME}$. > > > > ${PKGNAMEPREFIX}${PORTNAME}${PKGNAMESUFFIX} > > > > See the definition of PKGNAME in bsd.port.mk. It is PKGNAME minus the > > version information. > > > > > If am i correct, then I have some questions about the following entries. > > > > > > What ports do the following refer to? > > Jacques: Thanks for pointing out the ports I missed. I have snipped them > from the discussion so we can concentrate on the others. > > > > ImageMagick-nox11 > > graphics/ImageMagick > > I see ImageMagick in the names for this vuln. Where does > ImageMagick-nox11 enter the picture? Good point. ImageMagick-nox11 is probably also affected, and probably should also be listed. (I'll correct.) If one installs graphics/ImageMagick with the WITHOUT_X11 variable defined, then you get ImageMagick-nox11. > > > libtool > > depends, could be devel/libtool13 or devel/libtool15, or even the > > no-longer-existent devel/libtool or devel/libtool14 > > Looking at the data: > > > libtool > 1.31.3.5_2 > 1.41.4.3_3 > 1.51.5.2 > > > I suggest we need three package entries to cover the various FreeBSD ports > which have existed. Please see the mysql suggestion below for an example > of what I mean. It would not work, see below. > This URL shows the libtool ports in question. > > http://www.freshports.org/search.php?stype=name&method=match&query=libtool&num=10&deleted=includedeleted&casesensitivity=caseinsensitive&search=Search&orderby=category&orderbyupdown=asc > > > > > mpg123-esound > > We have mpg123, but no mpg123-esound. I wonder where it comes from. If you build mpg123 with Gnome, you get mpg123-esound. > > > mplayer-esound > > > mplayer-gtk > > > mplayer-gtk-esound > > > > multimedia/mplayer > > I don't know what to do about those. The vuln has an entry for mplayer, > so we'll catch that on FreshPorts, but not the other tree. Which is it? It seems that the s in ports/security/vuxml/vuln.xml related to mplayer each list all of these package names. > > > mysql-client > > > mysql-scripts > > > mysql-server > > depends, could be any of the database/mysql*-(client|scripts|server) ports. > > FreshPorts, or any other code for that matter, has no way > of knowing that port this vuln entry refers to. That's because there is no such thing as an affected "port", only an affected "package". > Intuitively, yes, we know it's going to be one of mysql323-client, > ysql40-client, and mysql50-client. > > Yes, the range entries help human eyes: > > 4.14.1.3 > 55.0.0_2 It is also used by any code that checks for vulnerable packages, such as portaudit or vxquery. > I suggest we need two packages: > > > mysql40-client > 4.04.0.20 > 4.14.1.1_2 > > > mysql50-client > 5.05.0.0_2 > > No, this would be wrong and would not match any packages ever installed by the FreeBSD Ports Collection. e.g. There is a package ``mysql-client-4.0.18_1'', but never has there been a package ``mysql40-client-4.0.18_1'' and there will never be. > Should the entry be modified to refer explicity to Something truncated here? > > > The answers may be obvious to the trained eye, but how does one write code > > > against this? > > > > Ports are re-named, moved, removed. I'm not sure that it can be > > done exactly other than by what I suggested previously: a database > > of the "history" of package names. IIRC, portupgrade uses ad hoc > > heuristics to guess the port origin from the package name, when the > > ORIGIN comment is not usable for some reason. > > > > The dichotomy of package name and port origin has always been a > > troublesome aspect of the FreeBSD Ports collection :-( > > Moving things around isn't so much of a problem. Locating them in the > first place is the issue. Later moves are not a problem. I'm not sure what you mean :-( Maybe you mean once you have the package names correlated to port names within FreshPorts, later moves will be "caught" automatically? Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org From dan at langille.org Mon Sep 13 11:56:19 2004 From: dan at langille.org (Dan Langille) Date: Mon Sep 13 11:57:32 2004 Subject: Matching a name to a port In-Reply-To: <20040913183627.GG71191@madman.celabo.org> References: <20040913123610.G22240@xeon.unixathome.org> <20040913135431.F22240@xeon.unixathome.org> <20040913183627.GG71191@madman.celabo.org> Message-ID: <20040913144103.U22240@xeon.unixathome.org> On Mon, 13 Sep 2004, Jacques A. Vidrine wrote: > On Mon, Sep 13, 2004 at 02:16:37PM -0400, Dan Langille wrote: > > On Mon, 13 Sep 2004, Jacques A. Vidrine wrote: > > > > > On Mon, Sep 13, 2004 at 01:33:22PM -0400, Dan Langille wrote: > > > > I'm trying to match vuln.xml information against actual ports. To do > > > > this, I need to know how the entries in the field are derived. > > > > > > > > I first thought it might be PORTNAME. But that's not the case. I now > > > > think it might be ${PKGNAMEPREFIX}${PORTNAME}$. > > > > > > ${PKGNAMEPREFIX}${PORTNAME}${PKGNAMESUFFIX} > > > > > > See the definition of PKGNAME in bsd.port.mk. It is PKGNAME minus the > > > version information. > > > > > > > If am i correct, then I have some questions about the following entries. > > > > > > > > What ports do the following refer to? > > > > Jacques: Thanks for pointing out the ports I missed. I have snipped them > > from the discussion so we can concentrate on the others. > > > > > > ImageMagick-nox11 > > > graphics/ImageMagick > > > > I see ImageMagick in the names for this vuln. Where does > > ImageMagick-nox11 enter the picture? > > Good point. ImageMagick-nox11 is probably also affected, and > probably should also be listed. (I'll correct.) If one installs > graphics/ImageMagick with the WITHOUT_X11 variable defined, then you > get ImageMagick-nox11. FreshPorts knows nothing about ImageMagick-nox11 because there is no such port. It knows only about ImageMagick, against which commits are made. Proposed approach for FreshPorts: I think FreshPorts will ignore package entries for which it cannot find a corresponding port. If all packages for a vuln fail to relate to a port, that will be something which justifies further investigation. > > > > libtool > > > depends, could be devel/libtool13 or devel/libtool15, or even the > > > no-longer-existent devel/libtool or devel/libtool14 > > > > Looking at the data: > > > > > > libtool > > 1.31.3.5_2 > > 1.41.4.3_3 > > 1.51.5.2 > > > > > > I suggest we need three package entries to cover the various FreeBSD ports > > which have existed. Please see the mysql suggestion below for an example > > of what I mean. > > It would not work, see below. Ahh, I understand now. Thanks. > > This URL shows the libtool ports in question. > > > > http://www.freshports.org/search.php?stype=name&method=match&query=libtool&num=10&deleted=includedeleted&casesensitivity=caseinsensitive&search=Search&orderby=category&orderbyupdown=asc > > > > > > > > mpg123-esound > > > > We have mpg123, but no mpg123-esound. I wonder where it comes from. > > If you build mpg123 with Gnome, you get mpg123-esound. Good. Then the proposal will hold up here. > > > > > mplayer-esound > > > > mplayer-gtk > > > > mplayer-gtk-esound > > > > > > multimedia/mplayer > > > > I don't know what to do about those. The vuln has an entry for mplayer, > > so we'll catch that on FreshPorts, but not the other tree. > > Which is it? It seems that the s in > ports/security/vuxml/vuln.xml related to mplayer each list all of these > package names. I found only one vuln. 5e7f58c3-b3f8-4258-aeb8-795e5e940ff8 And yes, it refers to all the above. This situation will resolve OK under the proposal. > > > > mysql-client > > > > mysql-scripts > > > > mysql-server > > > depends, could be any of the database/mysql*-(client|scripts|server) ports. > > > > FreshPorts, or any other code for that matter, has no way > > of knowing that port this vuln entry refers to. > > That's because there is no such thing as an affected "port", only an > affected "package". > > > Intuitively, yes, we know it's going to be one of mysql323-client, > > ysql40-client, and mysql50-client. > > > > Yes, the range entries help human eyes: > > > > 4.14.1.3 > > 55.0.0_2 > > It is also used by any code that checks for vulnerable packages, such > as portaudit or vxquery. Yep, I've had them in mind too, and was wondering how they did it. They have the advantage of a list of installed packages/ports. FreshPorts does not. I now think that's OK. > > I suggest we need two packages: > > > > > > mysql40-client > > 4.04.0.20 > > 4.14.1.1_2 > > > > > > mysql50-client > > 5.05.0.0_2 > > > > > > No, this would be wrong and would not match any packages ever > installed by the FreeBSD Ports Collection. e.g. There is a package > ``mysql-client-4.0.18_1'', but never has there been a package > ``mysql40-client-4.0.18_1'' and there will never be. Of course, yes. We're back to the basis of package name: ${PKGNAMEPREFIX}${PORTNAME}${PKGNAMESUFFIX} FreshPorts has never stored that information. I see now that it will have to. With luck, this information will be pretty static over the life of a port and everything will just fall into place with respect to historical entries. > > Should the entry be modified to refer explicity to > > Something truncated here? I think I started something, then went and added the above "I suggest we need two packages:" section and did not remove my uncompleted sentence. > > > > The answers may be obvious to the trained eye, but how does one write code > > > > against this? > > > > > > Ports are re-named, moved, removed. I'm not sure that it can be > > > done exactly other than by what I suggested previously: a database > > > of the "history" of package names. IIRC, portupgrade uses ad hoc > > > heuristics to guess the port origin from the package name, when the > > > ORIGIN comment is not usable for some reason. > > > > > > The dichotomy of package name and port origin has always been a > > > troublesome aspect of the FreeBSD Ports collection :-( > > > > Moving things around isn't so much of a problem. Locating them in the > > first place is the issue. Later moves are not a problem. > > I'm not sure what you mean :-( Maybe you mean once you have the package > names correlated to port names within FreshPorts, later moves will be > "caught" automatically? Yes. It's hard to phrase. For example, you can view deleted ports in FreshPorts, which will retain the history. -- Dan Langille - http://www.langille.org/ BSDCan - The Technical BSD Conference: http://www.bsdcan.org/ From nectar at FreeBSD.org Mon Sep 13 12:05:29 2004 From: nectar at FreeBSD.org (Jacques A. Vidrine) Date: Mon Sep 13 12:07:02 2004 Subject: Matching a name to a port In-Reply-To: <20040913144103.U22240@xeon.unixathome.org> References: <20040913123610.G22240@xeon.unixathome.org> <20040913174748.GC71191@madman.celabo.org> <20040913135431.F22240@xeon.unixathome.org> <20040913183627.GG71191@madman.celabo.org> <20040913144103.U22240@xeon.unixathome.org> Message-ID: <20040913190509.GK71191@madman.celabo.org> On Mon, Sep 13, 2004 at 02:56:10PM -0400, Dan Langille wrote: > FreshPorts knows nothing about ImageMagick-nox11 because there is no such > port. It knows only about ImageMagick, against which commits are made. > > Proposed approach for FreshPorts: I think FreshPorts will ignore package > entries for which it cannot find a corresponding port. If all packages > for a vuln fail to relate to a port, that will be something which > justifies further investigation. I think that is a reasonable approach. [...] > Yep, I've had them in mind too, and was wondering how they did it. They > have the advantage of a list of installed packages/ports. FreshPorts does > not. I now think that's OK. Right, they are looking either at already-installed packages, or perhaps at about-to-be-installed packages. In both cases, the actual package name is already available. [...] > FreshPorts has never stored that information. I see now that it will have > to. With luck, this information will be pretty static over the life of a > port and everything will just fall into place with respect to historical > entries. /me crosses fingers :-) [...] > > I'm not sure what you mean :-( Maybe you mean once you have the package > > names correlated to port names within FreshPorts, later moves will be > > "caught" automatically? > > Yes. It's hard to phrase. For example, you can view deleted ports in > FreshPorts, which will retain the history. OK, I think I follow. Thanks!! Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org From dan at langille.org Mon Sep 13 13:21:03 2004 From: dan at langille.org (Dan Langille) Date: Mon Sep 13 13:37:18 2004 Subject: Matching a name to a port In-Reply-To: <20040913190509.GK71191@madman.celabo.org> References: <20040913123610.G22240@xeon.unixathome.org> <20040913135431.F22240@xeon.unixathome.org> <20040913144103.U22240@xeon.unixathome.org> <20040913190509.GK71191@madman.celabo.org> Message-ID: <20040913160315.C22240@xeon.unixathome.org> On Mon, 13 Sep 2004, Jacques A. Vidrine wrote: > On Mon, Sep 13, 2004 at 02:56:10PM -0400, Dan Langille wrote: > > FreshPorts knows nothing about ImageMagick-nox11 because there is no such > > port. It knows only about ImageMagick, against which commits are made. > > > > Proposed approach for FreshPorts: I think FreshPorts will ignore package > > entries for which it cannot find a corresponding port. If all packages > > for a vuln fail to relate to a port, that will be something which > > justifies further investigation. > > I think that is a reasonable approach. FYI, I just realised that FreshPorts can only determine the ${PKGNAMEPREFIX}${PORTNAME}${PKGNAMESUFFIX} for existing ports. This will exclude ports which have been deleted. Those values aren't easy to grab. -- Dan Langille - http://www.langille.org/ BSDCan - The Technical BSD Conference: http://www.bsdcan.org/ From nectar at FreeBSD.org Mon Sep 13 13:28:40 2004 From: nectar at FreeBSD.org (Jacques A. Vidrine) Date: Mon Sep 13 13:48:03 2004 Subject: Matching a name to a port In-Reply-To: <20040913160315.C22240@xeon.unixathome.org> References: <20040913123610.G22240@xeon.unixathome.org> <20040913174748.GC71191@madman.celabo.org> <20040913135431.F22240@xeon.unixathome.org> <20040913183627.GG71191@madman.celabo.org> <20040913144103.U22240@xeon.unixathome.org> <20040913190509.GK71191@madman.celabo.org> <20040913160315.C22240@xeon.unixathome.org> Message-ID: <20040913202820.GC73780@madman.celabo.org> On Mon, Sep 13, 2004 at 04:21:01PM -0400, Dan Langille wrote: > On Mon, 13 Sep 2004, Jacques A. Vidrine wrote: > > > On Mon, Sep 13, 2004 at 02:56:10PM -0400, Dan Langille wrote: > > > FreshPorts knows nothing about ImageMagick-nox11 because there is no such > > > port. It knows only about ImageMagick, against which commits are made. > > > > > > Proposed approach for FreshPorts: I think FreshPorts will ignore package > > > entries for which it cannot find a corresponding port. If all packages > > > for a vuln fail to relate to a port, that will be something which > > > justifies further investigation. > > > > I think that is a reasonable approach. > > FYI, I just realised that FreshPorts can only determine the > ${PKGNAMEPREFIX}${PORTNAME}${PKGNAMESUFFIX} for existing ports. This will > exclude ports which have been deleted. Those values aren't easy to grab. Right, thus my several allusions to a non-existent "package name history" database. :-) Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org From dan at langille.org Mon Sep 13 13:43:32 2004 From: dan at langille.org (Dan Langille) Date: Mon Sep 13 14:00:13 2004 Subject: b7cb488c-8349-11d8-a41f-0020ed76ef5a : wrong package name (was Re: Matching a name to a port) In-Reply-To: <20040913174748.GC71191@madman.celabo.org> References: <20040913123610.G22240@xeon.unixathome.org> <20040913174748.GC71191@madman.celabo.org> Message-ID: <20040913163933.O22240@xeon.unixathome.org> On Mon, 13 Sep 2004, Jacques A. Vidrine wrote: > > If am i correct, then I have some questions about the following entries. > > > > What ports do the following refer to? > > > > iaskmpd > security/isakmpd I thought something was wrong there. Typo. The 2nd and 3rd letters are transposed: - iaskmpd + isakmpd -- Dan Langille - http://www.langille.org/ BSDCan - The Technical BSD Conference: http://www.bsdcan.org/ From nectar at FreeBSD.org Mon Sep 13 13:47:59 2004 From: nectar at FreeBSD.org (Jacques A. Vidrine) Date: Mon Sep 13 14:00:13 2004 Subject: b7cb488c-8349-11d8-a41f-0020ed76ef5a : wrong package name (was Re: Matching a name to a port) In-Reply-To: <20040913163933.O22240@xeon.unixathome.org> References: <20040913123610.G22240@xeon.unixathome.org> <20040913174748.GC71191@madman.celabo.org> <20040913163933.O22240@xeon.unixathome.org> Message-ID: <20040913204739.GT71191@madman.celabo.org> On Mon, Sep 13, 2004 at 04:43:25PM -0400, Dan Langille wrote: > On Mon, 13 Sep 2004, Jacques A. Vidrine wrote: > > > > If am i correct, then I have some questions about the following entries. > > > > > > What ports do the following refer to? > > > > > > iaskmpd > > security/isakmpd > > I thought something was wrong there. > > Typo. The 2nd and 3rd letters are transposed: > > - iaskmpd > + isakmpd Bwahahah Thanks for catching! Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org From dan at langille.org Mon Sep 13 13:49:47 2004 From: dan at langille.org (Dan Langille) Date: Mon Sep 13 14:10:29 2004 Subject: b7cb488c-8349-11d8-a41f-0020ed76ef5a : wrong package name (was Re: Matching a name to a port) In-Reply-To: <20040913204739.GT71191@madman.celabo.org> References: <20040913123610.G22240@xeon.unixathome.org> <20040913163933.O22240@xeon.unixathome.org> <20040913204739.GT71191@madman.celabo.org> Message-ID: <20040913164904.O22240@xeon.unixathome.org> On Mon, 13 Sep 2004, Jacques A. Vidrine wrote: > On Mon, Sep 13, 2004 at 04:43:25PM -0400, Dan Langille wrote: > > On Mon, 13 Sep 2004, Jacques A. Vidrine wrote: > > > > > > If am i correct, then I have some questions about the following entries. > > > > > > > > What ports do the following refer to? > > > > > > > > iaskmpd > > > security/isakmpd > > > > I thought something was wrong there. > > > > Typo. The 2nd and 3rd letters are transposed: > > > > - iaskmpd > > + isakmpd > > Bwahahah > Thanks for catching! The question is, how does portaudit know to report it? -- Dan Langille - http://www.langille.org/ BSDCan - The Technical BSD Conference: http://www.bsdcan.org/ From dan at langille.org Mon Sep 13 13:53:37 2004 From: dan at langille.org (Dan Langille) Date: Mon Sep 13 14:10:30 2004 Subject: b7cb488c-8349-11d8-a41f-0020ed76ef5a : wrong package name (was Re: Matching a name to a port) In-Reply-To: <20040913204739.GT71191@madman.celabo.org> References: <20040913123610.G22240@xeon.unixathome.org> <20040913163933.O22240@xeon.unixathome.org> <20040913204739.GT71191@madman.celabo.org> Message-ID: <20040913165130.U22240@xeon.unixathome.org> On Mon, 13 Sep 2004, Jacques A. Vidrine wrote: > On Mon, Sep 13, 2004 at 04:43:25PM -0400, Dan Langille wrote: > > On Mon, 13 Sep 2004, Jacques A. Vidrine wrote: > > > > > > If am i correct, then I have some questions about the following entries. > > > > > > > > What ports do the following refer to? > > > > > > > > iaskmpd > > > security/isakmpd > > > > I thought something was wrong there. > > > > Typo. The 2nd and 3rd letters are transposed: > > > > - iaskmpd > > + isakmpd > > Bwahahah > Thanks for catching! Oh, portaudit doesn't use vuxml. I see. -- Dan Langille - http://www.langille.org/ BSDCan - The Technical BSD Conference: http://www.bsdcan.org/ From nectar at FreeBSD.org Mon Sep 13 14:37:16 2004 From: nectar at FreeBSD.org (Jacques A. Vidrine) Date: Mon Sep 13 14:59:13 2004 Subject: b7cb488c-8349-11d8-a41f-0020ed76ef5a : wrong package name (was Re: Matching a name to a port) In-Reply-To: <20040913164904.O22240@xeon.unixathome.org> <20040913165130.U22240@xeon.unixathome.org> References: <20040913123610.G22240@xeon.unixathome.org> <20040913174748.GC71191@madman.celabo.org> <20040913163933.O22240@xeon.unixathome.org> <20040913204739.GT71191@madman.celabo.org> <20040913164904.O22240@xeon.unixathome.org> <20040913123610.G22240@xeon.unixathome.org> <20040913174748.GC71191@madman.celabo.org> <20040913163933.O22240@xeon.unixathome.org> <20040913204739.GT71191@madman.celabo.org> <20040913165130.U22240@xeon.unixathome.org> Message-ID: <20040913213657.GD79520@madman.celabo.org> On Mon, Sep 13, 2004 at 04:53:35PM -0400, Dan Langille wrote: > Oh, portaudit doesn't use vuxml. I see. On Mon, Sep 13, 2004 at 04:49:41PM -0400, Dan Langille wrote: > The question is, how does portaudit know to report it? Portaudit *does* use VuXML, though it is not the sole source of information from which it pulls. Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org From dan at langille.org Sat Sep 18 14:21:38 2004 From: dan at langille.org (Dan Langille) Date: Sat Sep 18 14:21:42 2004 Subject: confused by ranges Message-ID: <414C6EA1.25173.34BD6CDE@localhost> I'm having a quick look through vuln.xml: 2.02.0.50_3 Intuitively, that means you are vulnerable if you have versions >= 2.0 or < 2.0.50_3. Is that correct? Is that how to apply the rules. I found the DTD confused me more than the examples did. This is an interesting example: 1.1.2_1 2.0 Two range statements in the same package... instead of one range with two operators. Why? -- Dan Langille : http://www.langille.org/ BSDCan - The Technical BSD Conference - http://www.bsdcan.org/ From mat at FreeBSD.org Sun Sep 19 01:01:54 2004 From: mat at FreeBSD.org (Mathieu Arnold) Date: Sun Sep 19 01:01:56 2004 Subject: confused by ranges In-Reply-To: <414C6EA1.25173.34BD6CDE@localhost> References: <414C6EA1.25173.34BD6CDE@localhost> Message-ID: <5127566408FEC0289696CC7A@nescarba.in.t-online.fr> +-le 18/09/2004 17:21 -0400, Dan Langille ?crivait : | I'm having a quick look through vuln.xml: | | 2.02.0.50_3 | | Intuitively, that means you are vulnerable if you have versions >= | 2.0 or < 2.0.50_3. This one is an AND : VER > 2.0 AND VER < 2.0.50_3 | Is that correct? Is that how to apply the rules. I found the DTD | confused me more than the examples did. | | This is an interesting example: | | 1.1.2_1 | 2.0 | | Two range statements in the same package... instead of one range with | two operators. Why? This one is an OR, that is VER < 1.1.2_1 or VER > 2.0 because the version can't be < 1.1.2_1 and > 2.0. -- Mathieu Arnold -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 479 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-vuxml/attachments/20040919/86ed459c/attachment.bin From dan at langille.org Sun Sep 19 05:38:35 2004 From: dan at langille.org (Dan Langille) Date: Sun Sep 19 05:38:36 2004 Subject: confused by ranges In-Reply-To: <4433CFB17394B75789799BD9@nescarba.in.t-online.fr> References: <414C6EA1.25173.34BD6CDE@localhost> Message-ID: <414D4589.218.3804EA89@localhost> On 19 Sep 2004 at 9:56, Mathieu Arnold wrote: > +-le 18/09/2004 17:21 -0400, Dan Langille ?crivait : > | I'm having a quick look through vuln.xml: > | > | 2.02.0.50_3 > | > | Intuitively, that means you are vulnerable if you have versions >= > | 2.0 or < 2.0.50_3. > > This one is an AND : VER > 2.0 AND VER < 2.0.50_3 If there are two operators in a range, it is an AND. The testing values always goes before the supplied operator. Correct? > | Is that correct? Is that how to apply the rules. I found the DTD > | confused me more than the examples did. > | > | This is an interesting example: > | > | 1.1.2_1 > | 2.0 > | > | Two range statements in the same package... instead of one range with > | two operators. Why? > > This one is an OR, that is VER < 1.1.2_1 or VER > 2.0 > > because the version can't be < 1.1.2_1 and > 2.0. If there are multiple ranges for a package within a vuln, they are used to construct an OR. Actually, they could be applied separately to test values separately (i.e. if one was processing this one row at a time, you could just test the value and not worry about whether or not the next row contained another range entry). Correct? Thank you. -- Dan Langille : http://www.langille.org/ BSDCan - The Technical BSD Conference - http://www.bsdcan.org/ From mat at FreeBSD.org Sun Sep 19 05:47:16 2004 From: mat at FreeBSD.org (Mathieu Arnold) Date: Sun Sep 19 05:47:19 2004 Subject: confused by ranges In-Reply-To: <414D4589.218.3804EA89@localhost> References: <414C6EA1.25173.34BD6CDE@localhost> <414D4589.218.3804EA89@localhost> Message-ID: <406631FA4FA5D14563850431@nescarba.in.t-online.fr> +-le 19/09/2004 08:38 -0400, Dan Langille ?crivait : | On 19 Sep 2004 at 9:56, Mathieu Arnold wrote: | |> +-le 18/09/2004 17:21 -0400, Dan Langille ?crivait : |> | I'm having a quick look through vuln.xml: |> | |> | 2.02.0.50_3 |> | |> | Intuitively, that means you are vulnerable if you have versions >= |> | 2.0 or < 2.0.50_3. |> |> This one is an AND : VER > 2.0 AND VER < 2.0.50_3 | | If there are two operators in a range, it is an AND. The testing | values always goes before the supplied operator. Correct? | |> | Is that correct? Is that how to apply the rules. I found the DTD |> | confused me more than the examples did. |> | |> | This is an interesting example: |> | |> | 1.1.2_1 |> | 2.0 |> | |> | Two range statements in the same package... instead of one range with |> | two operators. Why? |> |> This one is an OR, that is VER < 1.1.2_1 or VER > 2.0 |> |> because the version can't be < 1.1.2_1 and > 2.0. | | If there are multiple ranges for a package within a vuln, they are | used to construct an OR. Actually, they could be applied separately | to test values separately (i.e. if one was processing this one row at | a time, you could just test the value and not worry about whether or | not the next row contained another range entry). | | Correct? Yes, I think this description is a bit too complicated. A ... value defines a range of affected versions, and there can be multiple ranges for a package. But we're saying the same thing :-) -- Mathieu Arnold -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 479 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-vuxml/attachments/20040919/4f1356f3/attachment.bin From nectar at FreeBSD.org Sun Sep 19 08:24:45 2004 From: nectar at FreeBSD.org (Jacques A. Vidrine) Date: Sun Sep 19 08:24:47 2004 Subject: confused by ranges In-Reply-To: <414C6EA1.25173.34BD6CDE@localhost> References: <414C6EA1.25173.34BD6CDE@localhost> Message-ID: <20040919152424.GA16616@lum.celabo.org> On Sat, Sep 18, 2004 at 05:21:37PM -0400, Dan Langille wrote: > I'm having a quick look through vuln.xml: > > 2.02.0.50_3 > > Intuitively, that means you are vulnerable if you have versions >= > 2.0 or < 2.0.50_3. Not quite. elements specify version ranges (intervals). The snip above specifies x >= 2.0 AND x < 2.0.50_3 2.0 <= x < 2.0.50_3 [2.0, 2.0.50_3) All of these are acceptable means of expressing the same idea. I tend to visualize the middle one... and in fact that is how I render the ranges on vuxml.org (e.g. "2.0 <= apache < 2.0.50_3"). > Is that correct? Is that how to apply the rules. I found the DTD > confused me more than the examples did. Then perhaps I should add some more examples and work on the text description :-) > This is an interesting example: > > 1.1.2_1 > 2.0 > > Two range statements in the same package... instead of one range with > two operators. Why? Because they are two non-contiguous ranges and cannot be expressed by a single interval. The two are: x < 1.1.2_1 2.0 >= x or equivalently [0, 1.1.2_1) and [2.0, infinity). Hmm, re-reading what you wrote, it seems you want to think of it algorithmically. In that case, you could interpret each element as containing expressions that should be ANDed (although the number and form of the expressions are constrained by the DTD), while multiple elements in one should be ORed. Hope this helps! Cheers, -- Jacques A Vidrine / NTT/Verio nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org From nectar at FreeBSD.org Sun Sep 19 08:33:10 2004 From: nectar at FreeBSD.org (Jacques A. Vidrine) Date: Sun Sep 19 08:33:12 2004 Subject: confused by ranges In-Reply-To: <414D4589.218.3804EA89@localhost> References: <414C6EA1.25173.34BD6CDE@localhost> <414D4589.218.3804EA89@localhost> Message-ID: <20040919153245.GB16616@lum.celabo.org> On Sun, Sep 19, 2004 at 08:38:33AM -0400, Dan Langille wrote: > > This one is an AND : VER > 2.0 AND VER < 2.0.50_3 > > If there are two operators in a range, it is an AND. The testing > values always goes before the supplied operator. Correct? [...] > If there are multiple ranges for a package within a vuln, they are > used to construct an OR. When dealing with ranges programatically, one should probably handle them as one would an interval in any application, e.g. struct interval { Version low; bool low_closed; Version high; bool high_closed; }; Then comparison is for (int i = 0; i < interval_count; ++i) if (interval[i].low < x || interval[i].high > x || (interval[i].low_closed && interval[i].low == x) || (interval[i].high_closed && interval[i].high == x)) /* it is affected */ ; Cheers, -- Jacques A Vidrine / NTT/Verio nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org From dan at langille.org Sun Sep 19 16:35:58 2004 From: dan at langille.org (Dan Langille) Date: Sun Sep 19 16:36:00 2004 Subject: confused by ranges In-Reply-To: <20040919152424.GA16616@lum.celabo.org> References: <414C6EA1.25173.34BD6CDE@localhost> Message-ID: <414DDF9D.23278.3A5EC686@localhost> On 19 Sep 2004 at 10:24, Jacques A. Vidrine wrote: > On Sat, Sep 18, 2004 at 05:21:37PM -0400, Dan Langille wrote: > > I'm having a quick look through vuln.xml: > > > > 2.02.0.50_3 > > > > Intuitively, that means you are vulnerable if you have versions >= > > 2.0 or < 2.0.50_3. > > Not quite. elements specify version ranges (intervals). The > snip above specifies > > x >= 2.0 AND x < 2.0.50_3 > 2.0 <= x < 2.0.50_3 > [2.0, 2.0.50_3) > > All of these are acceptable means of expressing the same idea. I tend > to visualize the middle one... and in fact that is how I render the > ranges on vuxml.org (e.g. "2.0 <= apache < 2.0.50_3"). FWIW, the FreshPorts vuxml_ranges is set up with that in mind. It looks something like this: version_start | operator_start | operator_end | version_end And the version being tested goes between the second and third columns. However, I think I will now change this. What I have requires flipping an operator. For now, I'd rather duplicate exactly what is in the vuln.xml file. > > Is that correct? Is that how to apply the rules. I found the DTD > > confused me more than the examples did. > > Then perhaps I should add some more examples and work on the text > description :-) Yep. Practical examples work wonders. > > This is an interesting example: > > > > 1.1.2_1 > > 2.0 > > > > Two range statements in the same package... instead of one range with > > two operators. Why? > > Because they are two non-contiguous ranges and cannot be expressed by a > single interval. The two are: > > x < 1.1.2_1 > 2.0 >= x > > or equivalently [0, 1.1.2_1) and [2.0, infinity). > > > Hmm, re-reading what you wrote, it seems you want to think of it > algorithmically. In that case, you could interpret each element > as containing expressions that should be ANDed (although the number and > form of the expressions are constrained by the DTD), while multiple > elements in one should be ORed. > > Hope this helps! It does. Thanks. I know how to complete this part now. cheers -- Dan Langille : http://www.langille.org/ BSDCan - The Technical BSD Conference - http://www.bsdcan.org/ From dan at langille.org Mon Sep 20 06:19:55 2004 From: dan at langille.org (Dan Langille) Date: Mon Sep 20 06:19:58 2004 Subject: confused by ranges In-Reply-To: <20040919152424.GA16616@lum.celabo.org> References: <414C6EA1.25173.34BD6CDE@localhost> Message-ID: <414EA0BA.11003.3D512193@localhost> On 19 Sep 2004 at 10:24, Jacques A. Vidrine wrote: > > This is an interesting example: > > > > 1.1.2_1 > > 2.0 > > > > Two range statements in the same package... instead of one range with > > two operators. Why? > > Because they are two non-contiguous ranges and cannot be expressed by a > single interval. The two are: > > x < 1.1.2_1 > 2.0 >= x > > or equivalently [0, 1.1.2_1) and [2.0, infinity). > > > Hmm, re-reading what you wrote, it seems you want to think of it > algorithmically. In that case, you could interpret each element > as containing expressions that should be ANDed (although the number and > form of the expressions are constrained by the DTD), while multiple > elements in one should be ORed. I found an error in my tables. I was relating a range to a name. That is incorrect. A package may have many names. The ranges in a package relate to all the names. I've just changed my scipts and modified my DDL. -- Dan Langille : http://www.langille.org/ BSDCan - The Technical BSD Conference - http://www.bsdcan.org/ From dan at langille.org Tue Sep 21 18:46:37 2004 From: dan at langille.org (Dan Langille) Date: Tue Sep 21 18:46:40 2004 Subject: FreshPorts beta now displays VuXML data Message-ID: <20040921192821.K69630@xeon.unixathome.org> Hi, I just finished the first cut of the code that marks commits as affected by VuXML data. Have a look at your favourite VuXML entry and see if the associated package is affected. e.g. http://beta.freshports.org/?package=pine This type of linking will be available in production once FreshPorts::VuXML is migrated from beta to production. I have not reviewed the output, however I do know that the display does not yet handle multiple VuXML entries affecting a given package version. However, the database does handle this type of relationship and I've verified that it is being recorded. The HTML is lagging behind the data. If you see any errors etc, please let me know. -- Dan Langille - http://www.langille.org/ BSDCan - The Technical BSD Conference: http://www.bsdcan.org/ From dan at langille.org Wed Sep 22 09:13:39 2004 From: dan at langille.org (Dan Langille) Date: Wed Sep 22 09:18:55 2004 Subject: FreshPorts beta now displays VuXML data In-Reply-To: <20040921192821.K69630@xeon.unixathome.org> Message-ID: <41516C72.24016.483CEA47@localhost> On 21 Sep 2004 at 19:35, Dan Langille wrote: > I just finished the first cut of the code that marks commits as affected > by VuXML data. Have a look at your favourite VuXML entry and see if the > associated package is affected. > > e.g. http://beta.freshports.org/?package=pine > > This type of linking will be available in production once > FreshPorts::VuXML is migrated from beta to production. > > I have not reviewed the output, however I do know that the display does > not yet handle multiple VuXML entries affecting a given package version. > However, the database does handle this type of relationship and > I've verified that it is being recorded. The HTML is lagging > behind the data. > > If you see any errors etc, please let me know. We have the first issue. FreshPorts beta is handling PORTEPOCH, but that value is not set correctly for existing commits. Hence, 'pkg_version -t' does not get the correct values for testing commit versions against vuln entries. mat@ has provided this which gives me a list of ports which contain an EPOCH: awk -F\| '$1 ~ /,/ {print $1 "\t\t" $2}' /usr/ports/INDEX-5 That's a good starting point. From there, I need to determine the date[s] on which the PORTEPOCH came into effect. With that, I can do something like this: update commit_log_ports set port_epoch='1' where port_id = 7366 and commit_log_id >= 57525; Ideas and suggestions are welcome. -- Dan Langille : http://www.langille.org/ BSDCan - The Technical BSD Conference - http://www.bsdcan.org/ From nectar at FreeBSD.org Wed Sep 22 13:16:01 2004 From: nectar at FreeBSD.org (Jacques A. Vidrine) Date: Wed Sep 22 13:16:03 2004 Subject: FreshPorts beta now displays VuXML data In-Reply-To: <20040921192821.K69630@xeon.unixathome.org> References: <20040921192821.K69630@xeon.unixathome.org> Message-ID: <20040922201538.GC57256@madman.celabo.org> On Tue, Sep 21, 2004 at 07:35:20PM -0400, Dan Langille wrote: > Hi, > > I just finished the first cut of the code that marks commits as affected > by VuXML data. Have a look at your favourite VuXML entry and see if the > associated package is affected. > > e.g. http://beta.freshports.org/?package=pine Thanks, Dan! I've experimentally added links on VuXML.org pages to FreshPorts URLs like the one above. Thus, if you click on a package name at say http://vuxml.freebsd.org/e9f9d232-0cb2-11d9-8a8a-000c41e2cdad.html it will probably have you looking at the right FreshPorts entry. (Since it is *beta*.freshports.org, for now at least there is no indication that the package names are links unless you mouse over them.) Cheers, -- Jacques A Vidrine / NTT/Verio nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org From dan at langille.org Thu Sep 23 16:46:40 2004 From: dan at langille.org (Dan Langille) Date: Thu Sep 23 16:46:42 2004 Subject: FreshPorts beta now displays VuXML data In-Reply-To: <20040922201538.GC57256@madman.celabo.org> References: <20040921192821.K69630@xeon.unixathome.org> Message-ID: <41532817.15157.4F01E691@localhost> On 22 Sep 2004 at 15:15, Jacques A. Vidrine wrote: > On Tue, Sep 21, 2004 at 07:35:20PM -0400, Dan Langille wrote: > > Hi, > > > > I just finished the first cut of the code that marks commits as affected > > by VuXML data. Have a look at your favourite VuXML entry and see if the > > associated package is affected. > > > > e.g. http://beta.freshports.org/?package=pine > > Thanks, Dan! I've experimentally added links on VuXML.org pages to > FreshPorts URLs like the one above. Thus, if you click on a package > name at say > http://vuxml.freebsd.org/e9f9d232-0cb2-11d9-8a8a-000c41e2cdad.html > it will probably have you looking at the right FreshPorts entry. That looks good. I hope that type of linking makes it easier for others to link. FWIW, I am making progress on the VuXML issues. I have found that I need to set historical PORTEPOCH for all ports that have a PORTEPOCH [1]. By historical, I mean for each commit in FreshPorts. That's the only way I can then get a proper test result from 'pkg_version - t. I'm almost there. This page http://beta.freshports.org/tmp/epoch-fetching-slave.txt (500KB) lists the ports that have a PORTEPOCH, the commits for that port, and the historical value of the PORTEPOCH value for that commit. I do this by literally fetching each revision of the Makefile. FreshPorts knows that revision is associated with each commit (that information is in the cvs-all email0. Obtaining the PORTEPOCH values is not a simple grep command. You must do a "make -V PORTVERSION". There are 27 ports containing an EPOCH value that are also slave ports. Of these 27, two set their own EPOCH value, the other 25 get it from the MASTERPORT. It is thoese 25 ports which are going to be tougher. There are 15 distinct master ports involved (fortunately, none of them have their own MASTERPORTs). I'm not yet sure how I'm going to cope with these master ports. The others should be straight forward. [1] FWIW, there are 246 ports with a PORTEPOCH value. This differs from the result of this command, perhaps because not all such ports are in the INDEX I'm using (e.g. archivers/bsdtar) awk -F\| '$1 ~ /,/ {print $2 "/Makefile"}' /usr/ports/INDEX- -- Dan Langille : http://www.langille.org/ BSDCan - The Technical BSD Conference - http://www.bsdcan.org/ From dan at langille.org Fri Sep 24 09:04:55 2004 From: dan at langille.org (Dan Langille) Date: Fri Sep 24 09:51:26 2004 Subject: Are the mozilla ranges correct for 7c188c55-0cb0-11d9-8a8a-000c41e2cdad? Message-ID: <41540D65.1435.5281A20F@localhost> Hi folks. I'm looking at vuln 7c188c55-0cb0-11d9-8a8a-000c41e2cdad which affects mozilla with these ranges: 1.7.2,2 1.8.a Should that ge range include an EPOCH of 2 (i.e. 1.8.a,2)? $ pkg_version -t 1.7.2_1,2 1.8.a > $ pkg_version -t 1.7.2_1,2 1.8.a,2 < Once a PORTEPOCH, always a PORTEPOCH? FWIW, www/mozilla is still on 1.7 -- Dan Langille : http://www.langille.org/ BSDCan - The Technical BSD Conference - http://www.bsdcan.org/ From nectar at FreeBSD.org Fri Sep 24 17:56:43 2004 From: nectar at FreeBSD.org (Jacques A. Vidrine) Date: Fri Sep 24 17:56:46 2004 Subject: Are the mozilla ranges correct for 7c188c55-0cb0-11d9-8a8a-000c41e2cdad? In-Reply-To: <41540D65.1435.5281A20F@localhost> References: <41540D65.1435.5281A20F@localhost> Message-ID: <20040925005617.GA50478@madman.celabo.org> On Fri, Sep 24, 2004 at 12:04:53PM -0400, Dan Langille wrote: > Hi folks. > > I'm looking at vuln 7c188c55-0cb0-11d9-8a8a-000c41e2cdad which > affects mozilla with these ranges: > > 1.7.2,2 > 1.8.a > > Should that ge range include an EPOCH of 2 (i.e. 1.8.a,2)? Yes, thanks for catching! Cheers, -- Jacques A Vidrine / NTT/Verio nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org From dan at langille.org Sat Sep 25 14:15:29 2004 From: dan at langille.org (Dan Langille) Date: Sat Sep 25 14:15:30 2004 Subject: FreshPorts :: VuXML - 6e740881-0cae-11d9-8a8a-000c41e2cdad Message-ID: <4155A7A2.15775.198F30A@localhost> Hi folks, I'm looking for additional pairs of eyes to verify that FreshPorts has marked the correct commits for: 6e740881-0cae-11d9-8a8a-000c41e2cdad The FreshPorts pages to view are: Nothing affect by this vuln. It seems the affecte versions where never put into our tree. Ranges are: 1.7.a,21.7 1.8.a,21.8.a2,2 Should that top one be 1.7,2 not 1.7? There are two packages with the name mozilla. In addition to the URL listed above, see also: Nothing affecte there. We have only 1.4b-1.6a in the tree. Looks good. The ranges are: 1.7.a1.7 Nothing marked at that URL either. Is this looking good or bad? -- Dan Langille : http://www.langille.org/ BSDCan - The Technical BSD Conference - http://www.bsdcan.org/ From dan at langille.org Sat Sep 25 19:13:23 2004 From: dan at langille.org (Dan Langille) Date: Sat Sep 25 19:13:25 2004 Subject: vuln refers to apache13 - no such package Message-ID: <20040925221034.T54484@xeon.unixathome.org> Hi folks, Just looking at "ca6c8f35-0a5f-11d9-ad6f-00061bc2ad93" which contains this: apache13 But, from what FreshPorts knows, there is no such package. These are the packages it knows: www/apache13-ssl | apache+ssl www/apache13-modssl+ipv6 | apache+mod_ssl+ipv6 www/apache13-modssl | apache+mod_ssl www/apache13-modperl | apache+mod_perl www/apache13+ipv6 | apache+ipv6 www/apache13 | apache www/apache-jserv | apache-jserv www/apache2 | apache www/apache-forrest | apache-forrest www/apache-contrib | apache-contrib net/apache-soap | apache-soap devel/apache-ant | apache-ant sysutils/apachetop | apachetop Should the vuln be changed? Is FreshPorts wrong? -- Dan Langille - http://www.langille.org/ BSDCan - The Technical BSD Conference: http://www.bsdcan.org/ From nectar at FreeBSD.org Sun Sep 26 11:05:04 2004 From: nectar at FreeBSD.org (Jacques A. Vidrine) Date: Sun Sep 26 11:05:31 2004 Subject: vuxml corrections (was Re: FreshPorts :: VuXML - 6e740881-0cae-11d9-8a8a-000c41e2cdad) In-Reply-To: <20040925221034.T54484@xeon.unixathome.org> <4155A7A2.15775.198F30A@localhost> References: <20040925221034.T54484@xeon.unixathome.org> <4155A7A2.15775.198F30A@localhost> Message-ID: <20040926180436.GA20112@madman.celabo.org> Thanks for catching and reporting these, Dan! On Sat, Sep 25, 2004 at 05:15:14PM -0400, Dan Langille wrote: > Hi folks, > > I'm looking for additional pairs of eyes to verify that FreshPorts > has marked the correct commits for: > > 6e740881-0cae-11d9-8a8a-000c41e2cdad > > The FreshPorts pages to view are: > > > > Nothing affect by this vuln. It seems the affecte versions where > never put into our tree. Ranges are: > > 1.7.a,21.7 > 1.8.a,21.8.a2,2 > > Should that top one be 1.7,2 not 1.7? Yep! Corrected. > There are two packages with the name mozilla. In addition to the URL > listed above, see also: > > > > Nothing affecte there. We have only 1.4b-1.6a in the tree. Looks > good. I think I misunderstood something. We certainly have later versions, and the referenced page lists them, e.g. mozilla-1.8.a3,2. > > > The ranges are: 1.7.a1.7 > > Nothing marked at that URL either. > > Is this looking good or bad? Yep, that looks good! On Sat, Sep 25, 2004 at 10:13:18PM -0400, Dan Langille wrote: > Hi folks, > > Just looking at "ca6c8f35-0a5f-11d9-ad6f-00061bc2ad93" which contains > this: > > apache13 > > But, from what FreshPorts knows, there is no such package. These are the > packages it knows: > > www/apache13-ssl | apache+ssl > www/apache13-modssl+ipv6 | apache+mod_ssl+ipv6 > www/apache13-modssl | apache+mod_ssl > www/apache13-modperl | apache+mod_perl > www/apache13+ipv6 | apache+ipv6 > www/apache13 | apache > www/apache-jserv | apache-jserv > www/apache2 | apache > www/apache-forrest | apache-forrest > www/apache-contrib | apache-contrib > net/apache-soap | apache-soap > devel/apache-ant | apache-ant > sysutils/apachetop | apachetop > > Should the vuln be changed? Is FreshPorts wrong? You are correct, the element is wrong. Corrected. Cheers, -- Jacques A Vidrine / NTT/Verio nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org From dan at langille.org Sun Sep 26 16:34:56 2004 From: dan at langille.org (Dan Langille) Date: Sun Sep 26 16:34:57 2004 Subject: vuxml corrections (was Re: FreshPorts :: VuXML - 6e740881-0cae-11d9-8a8a-000c41e2cdad) In-Reply-To: <20040926180436.GA20112@madman.celabo.org> References: <20040925221034.T54484@xeon.unixathome.org> <4155A7A2.15775.198F30A@localhost> Message-ID: <415719DA.21902.73F1F41@localhost> On 26 Sep 2004 at 13:04, Jacques A. Vidrine wrote: > Thanks for catching and reporting these, Dan! I think we might be able to add VuXML sanity checking to FreshPorts if we can come up with some rules, or simple concepts. I'm only catching them because I'm looking closely at the results. > On Sat, Sep 25, 2004 at 05:15:14PM -0400, Dan Langille wrote: > > Hi folks, > > > > I'm looking for additional pairs of eyes to verify that FreshPorts > > has marked the correct commits for: > > > > 6e740881-0cae-11d9-8a8a-000c41e2cdad > > > > The FreshPorts pages to view are: > > > > > > > > Nothing affect by this vuln. It seems the affecte versions where > > never put into our tree. Ranges are: > > > > 1.7.a,21.7 > > 1.8.a,21.8.a2,2 > > > > Should that top one be 1.7,2 not 1.7? > > Yep! Corrected. Good. Then I'm beginning to get a handle on what ranges should be when an EPOCH is involved. > > There are two packages with the name mozilla. In addition to the URL > > listed above, see also: > > > > > > > > Nothing affecte there. We have only 1.4b-1.6a in the tree. Looks > > good. > > I think I misunderstood something. We certainly have later versions, > and the referenced page lists them, e.g. mozilla-1.8.a3,2. I don't know now. Perhaps I should run it again with just the one vuln in question. That's later this week. I have rerun the FreshPorts VuXML with the latest vuln.xml file. I will review the commits later in the week. -- Dan Langille : http://www.langille.org/ BSDCan - The Technical BSD Conference - http://www.bsdcan.org/ From dan at langille.org Mon Sep 27 19:59:54 2004 From: dan at langille.org (Dan Langille) Date: Mon Sep 27 19:59:57 2004 Subject: PHPNuke or phpnuke Message-ID: <20040927225836.L6886@xeon.unixathome.org> Hi, In vuln 33ab4a47-bfc1-11d8-b00e-000347a4fa7d, the package name is PHPNuke. I think it should be lower case (as in 75770425-67a2-11d8-80e3-0020ed76ef5a). cheers -- Dan Langille - http://www.langille.org/ BSDCan - The Technical BSD Conference: http://www.bsdcan.org/ From dan at langille.org Mon Sep 27 20:13:29 2004 From: dan at langille.org (Dan Langille) Date: Mon Sep 27 20:13:30 2004 Subject: VuXML entries found in FreshPorts Message-ID: <20040927221759.N6886@xeon.unixathome.org> The following URL lists the VuXML found in FreshPorts: http://beta.freshports.org/vuxml.php?list The first column is the name of the package and a link to the vuln listing at http://www.vuxml.org/. If there is more than one vuln, you get a list of the vulns. The second column is the number of vulns registered against that package. The third column is the link to the FreshPorts entry for this package. The totals at the bottom of the page include only those vulns that affect a package (i.e. OS-specific vulns are not recorded in FreshPorts). The next step in comparing vuln.xml against FreshPorts is to compare the above URL with http://www.vuxml.org/freebsd/index-pkg.html I have compared the two lists visually. I didn't find anything that would make me think FreshPorts isn't displaying everything correctly. A few random checks shows expected results (e.g. opera, netscape7, libxine). The more eyes that can check the results, the better. If you are familiar with a particular vulnerability, I would appreciate feedback regarding the accuracy. thanks. -- Dan Langille - http://www.langille.org/ BSDCan - The Technical BSD Conference: http://www.bsdcan.org/ From m.seaman at infracaninophile.co.uk Tue Sep 28 01:08:30 2004 From: m.seaman at infracaninophile.co.uk (Matthew Seaman) Date: Tue Sep 28 01:09:13 2004 Subject: VuXML entries found in FreshPorts In-Reply-To: <20040927221759.N6886@xeon.unixathome.org> References: <20040927221759.N6886@xeon.unixathome.org> Message-ID: <20040928080824.GB76460@happy-idiot-talk.infracaninophile.co.uk> On Mon, Sep 27, 2004 at 11:13:28PM -0400, Dan Langille wrote: > The following URL lists the VuXML found in FreshPorts: > > http://beta.freshports.org/vuxml.php?list > The more eyes that can check the results, the better. If you are familiar > with a particular vulnerability, I would appreciate feedback regarding the > accuracy. Here's one that I have a particular interest in. Compare 0d4c31ac-cb91-11d8-8898-000d6111a684 cc0fb686-6550-11d8-80e3-0020ed76ef5a The first isn't registered in http://beta.freshports.org/databases/phpmyadmin/ correctly, but the second is. Difference is the capitalisation: phpmyadmin vs. phpMyAdmin: the port may be databases/phpmyadmin, but the LATEST_LINK and the package name use phpMyAdmin. I guess that should be fixed in the vuln.xml for 0d4c31ac-cb91-11d8-8898-000d6111a684. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-vuxml/attachments/20040928/b2b300e1/attachment.bin From dan at langille.org Tue Sep 28 04:20:41 2004 From: dan at langille.org (Dan Langille) Date: Tue Sep 28 04:20:44 2004 Subject: VuXML entries found in FreshPorts In-Reply-To: <20040928080824.GB76460@happy-idiot-talk.infracaninophile.co.uk> References: <20040927221759.N6886@xeon.unixathome.org> Message-ID: <415910C5.15935.EEBA400@localhost> On 28 Sep 2004 at 9:08, Matthew Seaman wrote: > Difference is the capitalisation: phpmyadmin vs. phpMyAdmin: the port > may be databases/phpmyadmin, but the LATEST_LINK and the package name > use phpMyAdmin. I guess that should be fixed in the vuln.xml for > 0d4c31ac-cb91-11d8-8898-000d6111a684. Good catch. That is similar to the phpNuke issue I found last night. -- Dan Langille : http://www.langille.org/ BSDCan - The Technical BSD Conference - http://www.bsdcan.org/ From nectar at FreeBSD.org Tue Sep 28 06:37:05 2004 From: nectar at FreeBSD.org (Jacques A. Vidrine) Date: Tue Sep 28 06:37:34 2004 Subject: VuXML entries found in FreshPorts In-Reply-To: <20040928080824.GB76460@happy-idiot-talk.infracaninophile.co.uk> References: <20040927221759.N6886@xeon.unixathome.org> <20040928080824.GB76460@happy-idiot-talk.infracaninophile.co.uk> Message-ID: <20040928133639.GA75508@madman.celabo.org> On Tue, Sep 28, 2004 at 09:08:24AM +0100, Matthew Seaman wrote: > Difference is the capitalisation: phpmyadmin vs. phpMyAdmin: the port > may be databases/phpmyadmin, but the LATEST_LINK and the package name > use phpMyAdmin. I guess that should be fixed in the vuln.xml for > 0d4c31ac-cb91-11d8-8898-000d6111a684. Yes, you are right. Fixed. Thanks for catching! -- Jacques A Vidrine / NTT/Verio nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org From nectar at FreeBSD.org Tue Sep 28 08:05:59 2004 From: nectar at FreeBSD.org (Jacques A. Vidrine) Date: Tue Sep 28 08:25:29 2004 Subject: PHPNuke or phpnuke In-Reply-To: <20040927225836.L6886@xeon.unixathome.org> References: <20040927225836.L6886@xeon.unixathome.org> Message-ID: <20040928150534.GC23453@madman.celabo.org> On Mon, Sep 27, 2004 at 10:59:53PM -0400, Dan Langille wrote: > Hi, > > In vuln 33ab4a47-bfc1-11d8-b00e-000347a4fa7d, the package name is PHPNuke. > I think it should be lower case (as in > 75770425-67a2-11d8-80e3-0020ed76ef5a). Right-o, fixed! This is great, we need this kind of double-checking. Cheers, -- Jacques A Vidrine / NTT/Verio nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org From dan at langille.org Tue Sep 28 14:59:44 2004 From: dan at langille.org (Dan Langille) Date: Tue Sep 28 14:59:45 2004 Subject: PHPNuke or phpnuke In-Reply-To: <20040928150534.GC23453@madman.celabo.org> References: <20040927225836.L6886@xeon.unixathome.org> Message-ID: <4159A68B.265.1134B3B2@localhost> On 28 Sep 2004 at 10:05, Jacques A. Vidrine wrote: > On Mon, Sep 27, 2004 at 10:59:53PM -0400, Dan Langille wrote: > > Hi, > > > > In vuln 33ab4a47-bfc1-11d8-b00e-000347a4fa7d, the package name is PHPNuke. > > I think it should be lower case (as in > > 75770425-67a2-11d8-80e3-0020ed76ef5a). > > Right-o, fixed! > > This is great, we need this kind of double-checking. I'm not sure what type of sanity checking FreshProts can do here. Ideas are welcome. -- Dan Langille : http://www.langille.org/ BSDCan - The Technical BSD Conference - http://www.bsdcan.org/ From dan at langille.org Tue Sep 28 15:23:46 2004 From: dan at langille.org (Dan Langille) Date: Tue Sep 28 15:23:49 2004 Subject: (Fwd) cvs commit: ports/security/vuxml vuln.xml Message-ID: <4159AC2E.27531.114AB696@localhost> FWIW, between the other fixes and this one, the number of affected packages went from up by 40 to 395, and the number of vulns went up by 3 to 174. http://beta.freshports.org/vuxml.php?list and the rest of FreshPorts has been updated with the recent changes. The next step is to automate what I've been doing manually so that FreshPorts VuXML data is updated automagically with each vuxml.xml commit. ------- Forwarded message follows ------- From: Jacques Vidrine Date sent: Tue, 28 Sep 2004 18:02:03 +0000 (UTC) To: ports-committers@FreeBSD.org, cvs-ports@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: ports/security/vuxml vuln.xml [ Double-click this line for list subscription options ] nectar 2004-09-28 18:02:03 UTC FreeBSD ports repository Modified files: security/vuxml vuln.xml Log: Make an initial attempt at covering all Mozilla/Firefox/Thunderbird package names that we've had. Similar changes need to be made to many other entries, but let's use this one as a test subject first. Approved by: portmgr Revision Changes Path 1.258 +37 -10 ports/security/vuxml/vuln.xml _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org" ------- End of forwarded message ------- -- Dan Langille : http://www.langille.org/ BSDCan - The Technical BSD Conference - http://www.bsdcan.org/ From trhodes at FreeBSD.org Tue Sep 28 15:27:17 2004 From: trhodes at FreeBSD.org (Tom Rhodes) Date: Tue Sep 28 15:27:18 2004 Subject: (Fwd) cvs commit: ports/security/vuxml vuln.xml In-Reply-To: <4159AC2E.27531.114AB696@localhost> References: <4159AC2E.27531.114AB696@localhost> Message-ID: <20040928182756.5be693ef@localhost> On Tue, 28 Sep 2004 18:23:42 -0400 "Dan Langille" wrote: > FWIW, between the other fixes and this one, the number of affected > packages went from up by 40 to 395, and the number of vulns went up > by 3 to 174. > > http://beta.freshports.org/vuxml.php?list and the rest of FreshPorts > has been updated with the recent changes. > > The next step is to automate what I've been doing manually so that > FreshPorts VuXML data is updated automagically with each vuxml.xml > commit. Is it just a script that updates when run or? -- Tom Rhodes From nectar at FreeBSD.org Tue Sep 28 15:40:43 2004 From: nectar at FreeBSD.org (Jacques A. Vidrine) Date: Tue Sep 28 15:41:46 2004 Subject: (Fwd) cvs commit: ports/security/vuxml vuln.xml In-Reply-To: <4159AC2E.27531.114AB696@localhost> References: <4159AC2E.27531.114AB696@localhost> Message-ID: <20040928223954.GB18530@madman.celabo.org> On Tue, Sep 28, 2004 at 06:23:42PM -0400, Dan Langille wrote: > FWIW, between the other fixes and this one, the number of affected > packages went from up by 40 to 395, and the number of vulns went up > by 3 to 174. OK good, that sounds like it had the desired affect, then! Based on some feedback from other folks, I suspect that there will be some other non-obvious packages that need to be marked as affected also (e.g. openoffice). I'll try to get to those tomorrow. Cheers, -- Jacques A Vidrine / NTT/Verio nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org From dan at langille.org Wed Sep 29 03:28:51 2004 From: dan at langille.org (Dan Langille) Date: Wed Sep 29 03:29:09 2004 Subject: (Fwd) cvs commit: ports/security/vuxml vuln.xml In-Reply-To: <20040928182756.5be693ef@localhost> References: <4159AC2E.27531.114AB696@localhost> Message-ID: <415A5622.28007.13E297A6@localhost> On 28 Sep 2004 at 18:27, Tom Rhodes wrote: > On Tue, 28 Sep 2004 18:23:42 -0400 > "Dan Langille" wrote: > > > FWIW, between the other fixes and this one, the number of affected > > packages went from up by 40 to 395, and the number of vulns went up > > by 3 to 174. > > > > http://beta.freshports.org/vuxml.php?list and the rest of FreshPorts > > has been updated with the recent changes. > > > > The next step is to automate what I've been doing manually so that > > FreshPorts VuXML data is updated automagically with each vuxml.xml > > commit. > > Is it just a script that updates when run or? Yes. It is a two stage process: # import the vulnerabilities perl process_vuxml.pl < ~/ports/security/vuxml/vuln.xml # mark the commits perl vuxml_mark_commits.pl -- Dan Langille : http://www.langille.org/ BSDCan - The Technical BSD Conference - http://www.bsdcan.org/ From trhodes at FreeBSD.org Wed Sep 29 14:05:22 2004 From: trhodes at FreeBSD.org (Tom Rhodes) Date: Wed Sep 29 14:05:25 2004 Subject: (Fwd) cvs commit: ports/security/vuxml vuln.xml In-Reply-To: <415A5622.28007.13E297A6@localhost> References: <4159AC2E.27531.114AB696@localhost> <415A5622.28007.13E297A6@localhost> Message-ID: <20040929170602.43a2738a@localhost> On Wed, 29 Sep 2004 06:28:50 -0400 "Dan Langille" wrote: > On 28 Sep 2004 at 18:27, Tom Rhodes wrote: > > > On Tue, 28 Sep 2004 18:23:42 -0400 > > "Dan Langille" wrote: > > > > > FWIW, between the other fixes and this one, the number of affected > > > packages went from up by 40 to 395, and the number of vulns went up > > > by 3 to 174. > > > > > > http://beta.freshports.org/vuxml.php?list and the rest of FreshPorts > > > has been updated with the recent changes. > > > > > > The next step is to automate what I've been doing manually so that > > > FreshPorts VuXML data is updated automagically with each vuxml.xml > > > commit. > > > > Is it just a script that updates when run or? > > Yes. It is a two stage process: > > # import the vulnerabilities > perl process_vuxml.pl < ~/ports/security/vuxml/vuln.xml > > # mark the commits > perl vuxml_mark_commits.pl Oh, then just drop it into cron(8). :) -- Tom Rhodes From dan at langille.org Thu Sep 30 03:35:41 2004 From: dan at langille.org (Dan Langille) Date: Thu Sep 30 03:36:18 2004 Subject: (Fwd) cvs commit: ports/security/vuxml vuln.xml In-Reply-To: <20040929170602.43a2738a@localhost> References: <415A5622.28007.13E297A6@localhost> Message-ID: <415BA93C.28930.190F364F@localhost> On 29 Sep 2004 at 17:06, Tom Rhodes wrote: > On Wed, 29 Sep 2004 06:28:50 -0400 > "Dan Langille" wrote: > > > On 28 Sep 2004 at 18:27, Tom Rhodes wrote: > > > > > On Tue, 28 Sep 2004 18:23:42 -0400 > > > "Dan Langille" wrote: > > > > > > > FWIW, between the other fixes and this one, the number of affected > > > > packages went from up by 40 to 395, and the number of vulns went up > > > > by 3 to 174. > > > > > > > > http://beta.freshports.org/vuxml.php?list and the rest of FreshPorts > > > > has been updated with the recent changes. > > > > > > > > The next step is to automate what I've been doing manually so that > > > > FreshPorts VuXML data is updated automagically with each vuxml.xml > > > > commit. > > > > > > Is it just a script that updates when run or? > > > > Yes. It is a two stage process: > > > > # import the vulnerabilities > > perl process_vuxml.pl < ~/ports/security/vuxml/vuln.xml > > > > # mark the commits > > perl vuxml_mark_commits.pl > > Oh, then just drop it into cron(8). :) Close! I need to conver both into packages, and call them from a single script with transaction control. Then invoke that script when a commit against vuxml.xml is found. -- Dan Langille : http://www.langille.org/ BSDCan - The Technical BSD Conference - http://www.bsdcan.org/