On Wed, 1 Nov 2006, David Maxwell wrote:

> On Wed, Nov 01, 2006 at 07:47:19AM +0100, Ignatios Souvatzis wrote:
> > On Tue, Oct 31, 2006 at 04:30:20PM -0800, John Klos wrote:
> > >
> > > However, why does "make update" delete a package BEFORE reporting the
> > > relevant package as insecure?
> >
> > Because it is checking the new package when building it.
>
> It's certainly less convienient. It probably hasn't shown up as an issue
> since vulnerable packages are relatively rare at any point in time.
>
> A simple answer would be to check a second time, before the pkg_delete.
> Yes, that means it will be done twice, but I don't think the update case
> needs to be that micro-optimized.

I've been burned a few times with the delete-before-check thing.  The
extra time it takes to check for vulnerability is trivial, especially
considering the time it would take to fiddle around and put back the old
version.

-- 
David Griffith
dgriffi@cs.csubak.edu

A: Because it fouls the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?