cvs commit: ports/security/vuxml vuln.xml

[Simon L. Nielsen]

On 2006.09.26 21:37:52 +0400, Andrew Pantyukhin wrote:
> On 9/26/06, Simon L. Nielsen <simon at freebsd.org> wrote:
> >On 2006.09.26 05:27:16 +0000, Andrew Pantyukhin wrote:
> >> sat         2006-09-26 05:27:16 UTC
> >>
> >>   FreeBSD ports repository
> >>
> >>   Modified files:
> >>     security/vuxml       vuln.xml
> >>   Log:
> >>   - Update the unace advisory
> >
> >Why did you add the Secunia advisory in the body?  Isn't it just
> >different wording for the same issues?
> 
> The original advisory is only for 1.x. Secunia added some info
> about 2.x.

OK.  I think the first two paragraph's could just have been ommitted
from the Secunia blockquote to avoid too much duplicated info.

> >Also, it's generally a bad idea to use <ge> if the port isn't fixed
> >since you risk someone bumping port reversion etc. and therefor
> >marking the port as fixed when it really isn't.
> 
> I understand. I used <le> because (1) this is a binary port and
> there won't be a patch and a bump, so <lt> version+bump
> does not make sense, (2) the bug has been confirmed in <=2.5
> only, and winace team is not very public about security fixes,
> (3) I'm the maintainer and I think the port has outlived its
> usefulness, so I scheduled it for removal in a month unless
> we are surprised by a brand new unace binary.
> 
> If you think that <gt> 0 or something like that is better, please
> tell me and I'll fix the advisory.

I agree that it probably isn't a problem, but I prefer better safe
than sorry.  Wrt. (1) above there could still be a patch level bump in
theory due to other problems issues e.g. something in the port
infrastructure which caused patch level to be bumped (not really a
problem here due to (3), but still).

So, I prefer if this was changes, also in case people look at the
entry at a later point then it's better to have a good example :-).

-- 
Simon L. Nielsen