1 |
On 2016-03-04, Jonathan Callen <jcallen@g.o> wrote: |
2 |
> On 03/03/2016 04:00 PM, Grant Edwards wrote: |
3 |
> |
4 |
>> I'm sure I'm just being stupid, but I don't understand the lists of |
5 |
>> affected and unaffected version numbers in Gentoo security |
6 |
>> advisories. |
7 |
>> |
8 |
>> For example: |
9 |
>> |
10 |
>> Package dev-libs/openssl on all architectures Affected |
11 |
>> versions < 1.0.2f |
12 |
>> |
13 |
>> Unaffected versions >= 1.0.2f, revision >= 1.0.1r, revision >= |
14 |
>> 1.0.1s, revision >= 1.0.1t, revision >= 0.9.8z_p8, revision >= |
15 |
>> 0.9.8z_p9, revision >= 0.9.8z_p10, revision >= 0.9.8z_p11, |
16 |
>> revision |
17 |
>>> = 0.9.8z_p12, revision >= 0.9.8z_p13, revision >= 0.9.8z_p14, |
18 |
>> revision >= 0.9.8z_p15 |
19 |
>> |
20 |
>> If it's true that versions >= 0.9.8z_p8 are unaffected, why is |
21 |
>> there a need to list that versions >= 0.9.8z_p[9-15] are |
22 |
>> unaffected? Are <> relationships betwen version numbers within the |
23 |
>> 0.9.8z_pNNN seriels not transitive? |
24 |
> |
25 |
> The "revision >=" operator in GLSAs indicates "any -r# revision of the |
26 |
> version greater than or equal to the indicated revision", so this is |
27 |
> saying that 0.9.8z_p15 isn't affected, nor is 0.9.8z_p15-r1, but 1.0.0 |
28 |
> *is* affected. |
29 |
|
30 |
Doh! After all these years, I just now realized that some of those |
31 |
expressions are about "version" and some are about "revision"! I'd |
32 |
always been reading them as the same thing. |
33 |
|
34 |
I knew it I had to missing something basic... |
35 |
|
36 |
Thanks for the clue! |
37 |
|
38 |
-- |
39 |
Grant Edwards grant.b.edwards Yow! I would like to |
40 |
at urinate in an OVULAR, |
41 |
gmail.com porcelain pool -- |