From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1FieAM-0006tA-4r for garchives@archives.gentoo.org; Tue, 23 May 2006 21:11:46 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.6/8.13.6) with SMTP id k4NLBHqt015547; Tue, 23 May 2006 21:11:17 GMT Received: from rwcrmhc13.comcast.net (rwcrmhc13.comcast.net [204.127.192.83]) by robin.gentoo.org (8.13.6/8.13.6) with ESMTP id k4NL7bSg001702 for ; Tue, 23 May 2006 21:07:37 GMT Received: from nightcrawler (c-24-21-135-117.hsd1.or.comcast.net[24.21.135.117]) by comcast.net (rwcrmhc13) with SMTP id <20060523210735m1300gm6tde>; Tue, 23 May 2006 21:07:35 +0000 Date: Tue, 23 May 2006 14:06:20 -0700 From: Brian Harring To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Security/QA Spring Cleaning Message-ID: <20060523210620.GE14671@nightcrawler> References: <1148266942.19708.90.camel@localhost> <1148415750.11998.34.camel@onyx> <1148417466.18445.16.camel@cgianelloni.nuvox.net> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="q9KOos5vDmpwPx9o" Content-Disposition: inline In-Reply-To: <1148417466.18445.16.camel@cgianelloni.nuvox.net> User-Agent: Mutt/1.5.11 X-Archives-Salt: 36640917-e9d5-4d5e-a469-90635e401663 X-Archives-Hash: 5c5805b868901b391f71546c7529c83a --q9KOos5vDmpwPx9o Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, May 23, 2006 at 04:51:06PM -0400, Chris Gianelloni wrote: > On Tue, 2006-05-23 at 16:22 -0400, Ned Ludd wrote: > > And now per arch breakdowns. > > http://gentooexperimental.org/~ferringb/reports/arch-vulnerabilities/ >=20 > No offense, but that isn't exactly useful in its current form. For > example, x86 shows *all* of the packages, even ones where it has a > non-vulnerable version stable. > I guess a breakdown of which > architectures still do not have a version *higher* than the ones listed > by the GLSA stable would be necessary instead. You're ignoring the fact that ebuilds can and do specify version=20 ranges that result in portage using something other then the highest-=20 the report is a listing of "these pkgs are vulnerable according to=20 glsas", the arch-vulns is just a view of that with stable/unstable for=20 that arch collapsed into one. In other words... having a version stable that isn't affected by the=20 glsa, good and grand, but the ebuilds sitting in the tree are *still*=20 vulnerable. Splitting off a stable vs unstable is doable, but the intention of=20 that report is to spell out which packages in the tree are vulnerable,=20 thus in need of getting the boot. ~harring --q9KOos5vDmpwPx9o Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFEc3lMvdBxRoA3VU0RAp7EAJ9wSlYbCbn5/4gplmttnJgANeOPwACffOBN Cyy8JjmW6NzxUtp9pFKvxyI= =HtMu -----END PGP SIGNATURE----- --q9KOos5vDmpwPx9o-- -- gentoo-dev@gentoo.org mailing list