cvs commit: ports/security/portaudit-db/database portaudit.txt portaudit.xlist portaudit.xml

[Jacques A. Vidrine]

[Moving to freebsd-vuxml ... oh how I wish Bcc worked so that people on
 the other list knew where this went :-) ]

On Tue, Aug 17, 2004 at 07:46:16PM +0200, Oliver Eikemeier wrote:
> When you can live with the dummy text produced by my perl script
> ("Please contact the FreeBSD Security Team for more information.") and
> we can make the `discovered' entry optional, fine with me. I can write
> a `make entry' perl script that parses a form an generates a template
> entry, send-pr like.

FWIW, this sounds fine by me, except about the <discovered> part.
I see your point about it though... it may be dangerous to have a
bogus value (like the date of entry), because it may not get corrected
later.  But I don't want it optional, so that it is not forgotten.
Perhaps we need the possiblity of marking something explicitly
<unspecified> for such occassions ...

In the mean time, could the date of entry be used?  And perhaps a
comment could be a workaround for now, something like

   <discovered>2004-08-17</discovered> <!-- XXX please correct --->

Ugly, I know, but the current format wasn't made for
works-in-progress.  Maybe we can make some options for that...

> >In place of arguing, start forging some code to check the base
> >system against the security listings in vuln.xml.
>
> portaudit could easily do that. The only thing useful here would be to
> use __FreeBSD_versions, so we can check -STABLE and -CURRENT too. Or can
> I map the version numbers somehow? I added __FreeBSD_versions in the
> last entry (multiple CVS vulnerabilities), but they are commented out
> since I don't know what the right syntax is.

By way of example, I've been using FreeBSD 4.7-RELEASE-p1 == 4.7_1.  I'm
not entirely satisfied and I am open to suggestions.  This part has been
ill-specified. :-(

Cheers,
-- 
Jacques Vidrine / nectar at celabo.org / jvidrine at verio.net / nectar at freebsd.org