Subject: Re: proposal: adding security-advisory variables to package makefiles.
To: Bill Sommerfeld <>
From: David Brownlee <>
List: tech-pkg
Date: 09/12/2000 09:08:10
On Mon, 11 Sep 2000, Bill Sommerfeld wrote:

> I'd like there two be two new optional package makefile variables:
> INSECURE_BEFORE= <package-version>
>    This declares that packages older than the specified package-version
>    may contain known security holes and should be upgraded ASAP.
	I'd prefer to see this as INSECURE_VERSIONS and use the
	standard dewey compares (eg: '<1.2.4'). This allows us to
	handle the case where version formats change - 20000809 is
	insecure, but 1.0.1 is not.
	I'm more than happy to tweak lintpkgsrc to do things with
	the value :)

>    This is intended to contain one or more URLs containing security
>    advisories explaining why the INSECURE_BEFORE entry was added.
> Intended usage:
>  - Reduce the effort needed to generate netbsd-specific security
> advisories for third-party packages.
>  - Include information in the generated README.html
>  - Can be used to generate a consolidated "advisory checker" list.
>  - Allow for the creation of tools which download the most recent
> package advisory list from a * server, check vs. installed
> packages on a system, and email the system administrator suggesting
> that upgrading the packages would be in order.

	I like the idea.

			       -- A pmap for every occasion --