Re: ANN: Availability of pkg(8)-capable pkgsrc

To: marino%netbsd.org@localhost
Subject: Re: ANN: Availability of pkg(8)-capable pkgsrc
From: "Sevan / Venture37" <venture37%gmail.com@localhost>
Date: Sat, 12 Nov 2016 20:53:24 +0000

On 12 November 2016 at 20:16, John Marino <netbsd%marino.st@localhost> wrote:
> Well, that's exactly what is happening.  A cron job is converting the
> (extremely sparse) netbsd vulnerabilities file and converting it to xml.
> It's not human created.

Extremely sparse & very effective! :)

> That being said, comparing the 2 systems is hardly fair.  It's a rickshaw
> compared to a spacecraft.  If VuXML is demonstrably superior then it
> shouldn't be rejected because of XML.  (aside: I've still never understood
> the kick-reflex all XML is bad).

Demonstratively superior based on what criteria?

> That being said #2: The fact that freebsd does generate XML by hand
> (validating it before publishing) is crazy.  There is no reason this can't
> be in a proper database and generated by a script.  That's what FreeBSD
> should be doing.

We currently don't have a DB dependency in either system, is that
really necessary?

>> The website generation feature is a convenient feature of the system
>> at the cost of duplication of content, manually performed by the
>> person adding entries. Time is precious!
>
>
> hmm?  it's not duplication.  pkg(8) provides the URL. It should point to
> something.  I spent like 10 hours on getting this all set up, I wouldn't
> have done that for kicks.

If you look at the vuxml, the text carried is usually a duplicate of
what's published in the advisory. What value does that add? refer the
user straight to the source.
The listings are an aggregation of public information which is
applicable to the software we package. All we're doing is
"vulnerability management", the FreeBSD project is a CVE Numbering
Authority so in the grand scheme of things, it would be useful to
provide discovery information assuming they're allocating CVEs for
their ports tree. It's not really relevant when the packaging systems
discovered the issue otherwise. When the advisory was published is far
more important if you're trying to guage how long the information was
publicly available (the advisories usually carry that information
especially the CVEs).

Sevan

Follow-Ups:
- Re: ANN: Availability of pkg(8)-capable pkgsrc
  - From: John Marino

References:
- ANN: Availability of pkg(8)-capable pkgsrc
  - From: John Marino
- Re: ANN: Availability of pkg(8)-capable pkgsrc
  - From: Sevan / Venture37
- Re: ANN: Availability of pkg(8)-capable pkgsrc
  - From: John Marino

Prev by Date: Re: ANN: Availability of pkg(8)-capable pkgsrc
Next by Date: Re: ANN: Availability of pkg(8)-capable pkgsrc
Previous by Thread: Re: ANN: Availability of pkg(8)-capable pkgsrc
Next by Thread: Re: ANN: Availability of pkg(8)-capable pkgsrc
Indexes:

Home | Main Index | Thread Index | Old Index