From josef at daemon.li Tue Jan 11 04:13:08 2005 From: josef at daemon.li (Josef El-Rayes) Date: Tue Jan 11 04:13:09 2005 Subject: missing namespace document Message-ID: <20050111121306.GB19823@daemon.li> hi! i tried to parse the vuxml document with the xml parser that comes with mono and i was not able to parse the document for quite some time until i found out that the problem is that the namespace document is not available, when i remove the namespace declaration then it works. when i enter http://www.vuxml.org/apps/vuxml-1 in the browser i get Not Found The requested URL /apps/vuxml-1 was not found on this server. shouldn't the namespace exist? -josef -- Josef El-Rayes (__) Email: josef@daemon.li \\\'',) Web: http://daemon.li/ \/ \ ^ FreeBSD Security Team .\._/_) From simon at FreeBSD.org Tue Jan 11 04:18:25 2005 From: simon at FreeBSD.org (Simon L. Nielsen) Date: Tue Jan 11 04:18:27 2005 Subject: missing namespace document In-Reply-To: <20050111121306.GB19823@daemon.li> References: <20050111121306.GB19823@daemon.li> Message-ID: <20050111121823.GG771@zaphod.nitro.dk> On 2005.01.11 12:13:06 +0000, Josef El-Rayes wrote: > when i enter http://www.vuxml.org/apps/vuxml-1 in the browser > i get > > Not Found > The requested URL /apps/vuxml-1 was not found on this server. > > shouldn't the namespace exist? Actually no. The XML namespace URL is just a unique identifier, there is no requirement that it points to anything valid. It is probably stated in some XML standard, I can't remember which right now. -- Simon L. Nielsen -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-vuxml/attachments/20050111/e895cf43/attachment.bin From josef at FreeBSD.org Tue Jan 11 03:51:46 2005 From: josef at FreeBSD.org (Josef El-Rayes) Date: Tue Jan 11 04:49:57 2005 Subject: missing namespace document Message-ID: <20050111115144.GA19823@daemon.li> hi! i tried to parse the vuxml document with the xml parser that comes with mono and i was not able to parse the document for quite some time until i found out that the problem is that the namespace document is not available, when i remove the namespace declaration then it works. when i enter http://www.vuxml.org/apps/vuxml-1 in the browser i get Not Found The requested URL /apps/vuxml-1 was not found on this server. shouldn't the namespace exist? -josef -- Josef El-Rayes (__) Email: josef@daemon.li \\\'',) Web: http://daemon.li/ \/ \ ^ FreeBSD Security Team .\._/_) From nectar at FreeBSD.org Tue Jan 11 05:11:41 2005 From: nectar at FreeBSD.org (Jacques A. Vidrine) Date: Tue Jan 11 05:11:42 2005 Subject: missing namespace document In-Reply-To: <20050111121306.GB19823@daemon.li> References: <20050111121306.GB19823@daemon.li> Message-ID: <20050111131139.GB6723@lum.celabo.org> On Tue, Jan 11, 2005 at 12:13:06PM +0000, Josef El-Rayes wrote: > hi! > > i tried to parse the vuxml document with the xml parser > that comes with mono and i was not able to parse > the document for quite some time until i found out > that the problem is that the namespace document is > not available, when i remove the namespace declaration > then it works. > > when i enter http://www.vuxml.org/apps/vuxml-1 in the browser > i get > > Not Found > The requested URL /apps/vuxml-1 was not found on this server. > > shouldn't the namespace exist? No, it is rare for the namespace URI to actually be resolvable. The parser you are using is broken. The ``Namespaces in XML'' standards document states: ``The namespace name, to serve its intended purpose, should have the characteristics of uniqueness and persistence. It is not a goal that it be directly usable for retrieval of a schema (if any exists). An example of a syntax that is designed with these goals in mind is that for Uniform Resource Names [RFC2141]. However, it should be noted that ordinary URLs can be managed in such a way as to achieve these same goals.'' It is not uncommon, but also not required nor even conventional, to make an RDDL document available at URLs that are used as namespace URIs. I currently have not done so, however. Cheers, -- Jacques A Vidrine / NTT/Verio nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org From nectar at FreeBSD.org Tue Jan 11 06:53:04 2005 From: nectar at FreeBSD.org (Jacques A. Vidrine) Date: Tue Jan 11 06:53:06 2005 Subject: missing namespace document In-Reply-To: <20050111131139.GB6723@lum.celabo.org> References: <20050111121306.GB19823@daemon.li> <20050111131139.GB6723@lum.celabo.org> Message-ID: <20050111145302.GA7058@lum.celabo.org> On Tue, Jan 11, 2005 at 07:11:39AM -0600, Jacques A. Vidrine wrote: > It is not uncommon, but also not required nor even conventional, to > make an RDDL document available at URLs that are used as namespace URIs. > I currently have not done so, however. For kicks, I just added an RDDL document for the VuXML XML namespace, so maybe now the broken parser will work. Maybe not, however: who knows what it expects to find there (^_^). Cheers, -- Jacques A Vidrine / NTT/Verio nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org From dan at langille.org Thu Jan 13 16:17:37 2005 From: dan at langille.org (Dan Langille) Date: Thu Jan 13 16:17:38 2005 Subject: Do you respect the date_modified field? In-Reply-To: <20041217185000.GB762@zaphod.nitro.dk> References: <41C2D30F.16142.730D56B@localhost> Message-ID: <41E6C9CA.27780.93AAC789@localhost> On 17 Dec 2004 at 19:50, Simon L. Nielsen wrote: > On 2004.12.17 12:37:35 -0500, Dan Langille wrote: > > At present, FreshPorts deletes all VuXML information each time a > > commit to ~/ports/security/vuxml/vuln.xml occurs. To reduce database > > churn, I'm now looking at optimizing this process. > > > > I expect the answer to my question to be yes, but do not want to rely > > upon only my expectation. Do you respect the date_modified field? > > In general yes, though of course there can be slips sometimes. Of > course, if FreshPorts starts to use the modified date I think it's > even more likely that modified date will be updated correctly since > people will notice if it wasn't bumped. > > I almost always check my entries on FreshPorts after commit as an > extra check that I havn't made any mistakes in the committed entry... > > > I ask for reasons of keeping things simple. FreshPorts inserts each > > vuln into a table. Is it sufficient for FreshPorts to compare the > > last_modified field as supplied in vuln.xml to determine whether or > > not it should update its information? > > Not quite that simple unfortunatly. Modified date is not updated when > an entry is modified the same day as when it was originally added, or > if the modified date already has been bumped once on the date of the > commit. So you need to update for all entries which has either > modification or entry date today... actually you probably need to take > entries from the date before and after also due to timezone's. But > that should still reduce the number of entries that must bed update > considerably. > > Actually it should be rather simple to generate the real modification > date for each entry using "cvs annotate vuln.xml"... I might play > around with that later today :-). I just had a test run of this code. FreshPorts ignores any vuln that does not contain at least one date field that is within 2 days of the current date. This can be overridden on the command line so that all entries are processed, regardless of date. I'll move this to production soon. cheers -- Dan Langille : http://www.langille.org/ BSDCan - The Technical BSD Conference - http://www.bsdcan.org/ From dan at langille.org Sun Jan 23 06:56:55 2005 From: dan at langille.org (Dan Langille) Date: Sun Jan 23 06:57:03 2005 Subject: what happens if a vuln is loaded in error? Message-ID: <41F3755F.17732.1CCB0831@localhost> Hi folks, I'm looking over the design of how FreshPorts handles VuXML changes. A thought comes to mind. If a vuln turns out to be false (i.e not a vulnerability at all, for whatever reason), what changes would be made to the VuXML data? How would this situation be fixed? Thanks. -- Dan Langille : http://www.langille.org/ BSDCan - The Technical BSD Conference - http://www.bsdcan.org/ From dan at langille.org Mon Jan 24 07:47:39 2005 From: dan at langille.org (Dan Langille) Date: Mon Jan 24 07:47:41 2005 Subject: what happens if a vuln is loaded in error? In-Reply-To: <41F3755F.17732.1CCB0831@localhost> Message-ID: <41F4D240.12228.221FB59D@localhost> On 23 Jan 2005 at 9:58, Dan Langille wrote: > I'm looking over the design of how FreshPorts handles VuXML changes. > A thought comes to mind. If a vuln turns out to be false (i.e not a > vulnerability at all, for whatever reason), what changes would be > made to the VuXML data? How would this situation be fixed? This commit answers my question: http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/vuxml/vuln.xml.di ff?r1=1.515&r2=1.516&f=h Thanks -- Dan Langille : http://www.langille.org/ BSDCan - The Technical BSD Conference - http://www.bsdcan.org/ From nectar at FreeBSD.org Mon Jan 24 07:58:34 2005 From: nectar at FreeBSD.org (Jacques A. Vidrine) Date: Mon Jan 24 08:00:40 2005 Subject: what happens if a vuln is loaded in error? In-Reply-To: <41F4D240.12228.221FB59D@localhost> References: <41F3755F.17732.1CCB0831@localhost> <41F4D240.12228.221FB59D@localhost> Message-ID: <20050124155832.GF3960@lum.celabo.org> On Mon, Jan 24, 2005 at 10:47:28AM -0500, Dan Langille wrote: > On 23 Jan 2005 at 9:58, Dan Langille wrote: > > > I'm looking over the design of how FreshPorts handles VuXML > > changes. A thought comes to mind. If a vuln turns out to be > > false (i.e not a vulnerability at all, for whatever reason), what > > changes would be made to the VuXML data? How would this situation > > be fixed? > > This commit answers my question: > > http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/vuxml/vuln.xml.diff?r1=1.515&r2=1.516&f=h Yep, I made that one just for you (^_^). But seriously, let me draw your attention to the following comments in the VuXML document model DTD (http://www.vuxml.org/dtd/vuxml-1/vuxml-model-11.mod): ,---- | A given `vuln' element may represent either an active issue | or a cancelled issue. Active `vuln's contain the full set | of sub-elements (topic, affects, and so on). Cancelled `vuln's | may contain only a single `cancelled' element. | | A `vuln' should be cancelled only when it was issued in error. `---- ,---- | If a `vuln' is issued in error, it may be cancelled by replacing its | content with a single `cancelled' element. The optional `superseded' | attribute with a VuXML ID value may be used to indicate that another | `vuln' entry replaced this one. | | Example. | | | | `---- Cheers, -- Jacques A Vidrine / NTT/Verio nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org