1 |
On Tue, May 23, 2006 at 04:51:06PM -0400, Chris Gianelloni wrote: |
2 |
> On Tue, 2006-05-23 at 16:22 -0400, Ned Ludd wrote: |
3 |
> > And now per arch breakdowns. |
4 |
> > http://gentooexperimental.org/~ferringb/reports/arch-vulnerabilities/ |
5 |
> |
6 |
> No offense, but that isn't exactly useful in its current form. For |
7 |
> example, x86 shows *all* of the packages, even ones where it has a |
8 |
> non-vulnerable version stable. |
9 |
> I guess a breakdown of which |
10 |
> architectures still do not have a version *higher* than the ones listed |
11 |
> by the GLSA stable would be necessary instead. |
12 |
|
13 |
You're ignoring the fact that ebuilds can and do specify version |
14 |
ranges that result in portage using something other then the highest- |
15 |
the report is a listing of "these pkgs are vulnerable according to |
16 |
glsas", the arch-vulns is just a view of that with stable/unstable for |
17 |
that arch collapsed into one. |
18 |
|
19 |
In other words... having a version stable that isn't affected by the |
20 |
glsa, good and grand, but the ebuilds sitting in the tree are *still* |
21 |
vulnerable. |
22 |
|
23 |
Splitting off a stable vs unstable is doable, but the intention of |
24 |
that report is to spell out which packages in the tree are vulnerable, |
25 |
thus in need of getting the boot. |
26 |
|
27 |
~harring |