Subject: Re: Varied pkgsrc package names not always reflected in pkg-vulnerabilities file
To: David H.Gutteridge <firstname.lastname@example.org>
From: Thomas Klausner <wiz@NetBSD.org>
Date: 01/14/2005 14:52:44
On Wed, Jan 12, 2005 at 07:57:03PM -0500, David H.Gutteridge wrote:
> I thought I'd mention that the pkg-vulnerabilities file
> doesn't always list all the names that pkgsrc packages
> have existed under, and consequently misses providing
> some notifications.
True. It is handled by humans, and they tend to make mistakes :)
> I've found two examples in my own case. Version 0.7 of
> Firebird (as it used to be called) went by the name
> MozillaFirebird in pkgsrc. Some relevant advisories
> are missed because there's nothing under that name in
> the pkg-vulnerabilities file.
> More recently, the same thing goes for Perl. I have the
> package perl-thread-5.8.4nb1 installed on a machine, and
> it doesn't get picked up by audit-packages because the
> string doesn't match against "perl-5.8.[0-4]*".
I added patterns for those to the vulnerabilities file.
If you find any additional oversights, please let me know.