Subject: Re: Varied pkgsrc package names not always reflected in pkg-vulnerabilities file
To: David H.Gutteridge <>
From: Thomas Klausner <>
List: tech-pkg
Date: 01/14/2005 14:52:44

On Wed, Jan 12, 2005 at 07:57:03PM -0500, David H.Gutteridge wrote:
> I thought I'd mention that the pkg-vulnerabilities file
> doesn't always list all the names that pkgsrc packages
> have existed under, and consequently misses providing
> some notifications.

True. It is handled by humans, and they tend to make mistakes :)

> I've found two examples in my own case.  Version 0.7 of
> Firebird (as it used to be called) went by the name
> MozillaFirebird in pkgsrc.  Some relevant advisories
> are missed because there's nothing under that name in
> the pkg-vulnerabilities file.
> More recently, the same thing goes for Perl.  I have the
> package perl-thread-5.8.4nb1 installed on a machine, and 
> it doesn't get picked up by audit-packages because the
> string doesn't match against "perl-5.8.[0-4]*".

I added patterns for those to the vulnerabilities file.
If you find any additional oversights, please let me know.