Subject: Re: problem with download-vulnerability-list
To: Steven M. Bellovin <smb@research.att.com>
From: Alistair Crooks <agc@wasabisystems.com>
List: netbsd-users
Date: 07/28/2003 11:46:22
On Sun, Jul 27, 2003 at 05:25:03PM -0400, Steven M. Bellovin wrote:
> In message <Pine.NEB.4.53.0307272227490.199@forsaken.emlyn.absd.org>, David Bro
> wnlee writes:
> >On Sun, 27 Jul 2003, David Maxwell wrote:
> >
> >> On Sun, Jul 27, 2003 at 09:12:54AM -0400, Steve Bellovin wrote:
> >> > It's complaining that the new vulnerability list is shorter than the
> >> > old one.
> >>
> >> Corrected. The combination of a 0 size change by a 4 char-name committer
> >> after a 5-char name committer...
> >>
> >> One of these days I'll eliminate this size dependency scheme.
> >
> > Maybe it could switch to 'wc -l'?
> >
>
> What's needed is some assurance that (a) the file wasn't truncated on
> download, and (b) that the file is newer than the previous one. I
> suggest sha1 for the former and a timestamp -- date +%s will do -- for
> the latter.
I disagree - you are suggesting two extra pieces of information to be
downloaded (and maintained by NetBSD developers). I think the
suggestion of an EOF token is the best way to go, since the
information is held in the vulnerabilities file, there is no other
extraneous information to download, and two less things to worry about
when updating the vulnerabilities file.
Regards,
Alistair