Subject: Re: proposal: adding security-advisory variables to package makefiles.
To: Bill Sommerfeld <email@example.com>
From: David Brownlee <firstname.lastname@example.org>
Date: 09/12/2000 09:08:10
On Mon, 11 Sep 2000, Bill Sommerfeld wrote:
> I'd like there two be two new optional package makefile variables:
> INSECURE_BEFORE= <package-version>
> This declares that packages older than the specified package-version
> may contain known security holes and should be upgraded ASAP.
I'd prefer to see this as INSECURE_VERSIONS and use the
standard dewey compares (eg: '<1.2.4'). This allows us to
handle the case where version formats change - 20000809 is
insecure, but 1.0.1 is not.
I'm more than happy to tweak lintpkgsrc to do things with
the value :)
> RECENT_ADVISORIES= <url>
> This is intended to contain one or more URLs containing security
> advisories explaining why the INSECURE_BEFORE entry was added.
> Intended usage:
> - Reduce the effort needed to generate netbsd-specific security
> advisories for third-party packages.
> - Include information in the generated README.html
> - Can be used to generate a consolidated "advisory checker" list.
> - Allow for the creation of tools which download the most recent
> package advisory list from a *.netbsd.org server, check vs. installed
> packages on a system, and email the system administrator suggesting
> that upgrading the packages would be in order.
I like the idea.
-- www.netbsd.org: A pmap for every occasion --