| 1 |
On Tue, May 23, 2006 at 04:51:06PM -0400, Chris Gianelloni wrote: |
| 2 |
> On Tue, 2006-05-23 at 16:22 -0400, Ned Ludd wrote: |
| 3 |
> > And now per arch breakdowns. |
| 4 |
> > http://gentooexperimental.org/~ferringb/reports/arch-vulnerabilities/ |
| 5 |
> |
| 6 |
> No offense, but that isn't exactly useful in its current form. For |
| 7 |
> example, x86 shows *all* of the packages, even ones where it has a |
| 8 |
> non-vulnerable version stable. |
| 9 |
> I guess a breakdown of which |
| 10 |
> architectures still do not have a version *higher* than the ones listed |
| 11 |
> by the GLSA stable would be necessary instead. |
| 12 |
|
| 13 |
You're ignoring the fact that ebuilds can and do specify version |
| 14 |
ranges that result in portage using something other then the highest- |
| 15 |
the report is a listing of "these pkgs are vulnerable according to |
| 16 |
glsas", the arch-vulns is just a view of that with stable/unstable for |
| 17 |
that arch collapsed into one. |
| 18 |
|
| 19 |
In other words... having a version stable that isn't affected by the |
| 20 |
glsa, good and grand, but the ebuilds sitting in the tree are *still* |
| 21 |
vulnerable. |
| 22 |
|
| 23 |
Splitting off a stable vs unstable is doable, but the intention of |
| 24 |
that report is to spell out which packages in the tree are vulnerable, |
| 25 |
thus in need of getting the boot. |
| 26 |
|
| 27 |
~harring |
Archives