pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: ANN: Availability of pkg(8)-capable pkgsrc



On 11/12/2016 17:44, Sevan / Venture37 wrote:
Hey John,

On 12 November 2016 at 21:18, John Marino <netbsd%marino.st@localhost> wrote:
Do you understand that pkg(8) displays vulnerability information directly?
It's not a "duplicate", it's a summary.  There's a difference.  But that's
only the case for FreeBSD Ports.  For pkgsrc auditing you get none of that
because it's not available in vuxml.

tldr; it adds a LOT of value.

This isn't really subjective.

What it boils down to is this change potentially means the
pkgsrc-security@ team has to change how they perform their role and
you're calling it when you're not going to be the one having to sift
through the mess of advisories to fish out information before
embarking on some XML.

How have you come to this conclusion?
Did I state that pkgsrc-security team has to do anything different?
A cron script downloads the pkgsrc vulnerability database and converts it to an xml format every 6 hours. Nobody has to do anything. Why is this a problem?

The only thing I could ask the security team is to keep using ranges and not regex.


Do we not get a say in this?

That's why I'm raising the point about "duplication", why am I copying
the same information out from one place & adding it in to another If
we're not adding anything? why not direct the user to the original
source and get out of the way.

This is incorrect. The original vulnerability database is not downloaded anymore. That functionality part of the "pkg" format.

I am not sure how to say this any other way: *You* are not "copying the same information". *You* are not adding it anywhere. I'm not understanding where you think I'm imposing on your personally.

John

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus



Home | Main Index | Thread Index | Old Index