1 |
On Thu, 29 Jan 2015 20:53:31 -0500 Rich Freeman wrote: |
2 |
> On Thu, Jan 29, 2015 at 7:53 PM, Grant <emailgrant@×××××.com> wrote: |
3 |
> > |
4 |
> > glsa-check is working fine, it was a slotted issue. Still curious |
5 |
> > about a way to check for statically linked packages. |
6 |
> > |
7 |
> |
8 |
> False positives in glsa data aren't unheard of - log those as bugs - |
9 |
> vulnerable versions should be masked, and non-vulnerable versions |
10 |
> shouldn't be flagged. So, if an unmasked package is flagged, there is |
11 |
> a bug of some kind that should be fixed. |
12 |
|
13 |
It seems like glsa-check can't handle intervals at all. If package |
14 |
have several intermittent intervals of vulnerable and fixed |
15 |
versions, e.g. multiple slots fix fixes in several slots, |
16 |
glsa-check fail: |
17 |
https://bugs.gentoo.org/show_bug.cgi?id=106677 |
18 |
|
19 |
Quite an old bug... |
20 |
|
21 |
Best regards, |
22 |
Andrew Savchenko |