tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: binary pkg "variants" ? [was: Re: Package split or package options?]

On Sunday, at 13:54, Tim Zingelman wrote:
| I am concerned about how this will affect our ability to correctly
| produce patterns for the pkg-vulnerabilities file (used by
| audit-packages.)
| We too often have a hard time getting all the patterns right, and
| unless I misunderstand how this change to package names and new
| matching will work this will make things significantly harder.
| Perhaps an example will help me understand... If a package has 6
| possible non-mutually exclusive options, 2 of which are default and
| there is a vulnerability in the base package (with or without options)
| how do we specify a pattern?  To be more concrete lets say the
| vulnerability is found in versions of pkgname starting with version 4
| and is fixed in pkgname-4.3.2nb1, and lets call the options aaa, bbb,
| ccc, ddd, eee & fff, with bbb & fff being default options.  Prior to
| these proposed changes we would use the pattern pkgname>=4<4.3.2nb1
| I appreciate any assistance you can provide in helping me understand
| the fine details here.

Well, if the options don't affect the vulnerability, pkgname>=4<4.3.2nb1 would
work just fine and match all packages in the version range whatever their

But it the vulnerability is, say, only in option aaa (no matter if it's a
default option or not), then the vulnerable packages would be

And if the vulnerability is instead present with all options but option bbb,
then then the vulnerable packages would be

('!' representing 'not', but it could be ^ as well or whatever char that is
deemed appropriate)

Home | Main Index | Thread Index | Old Index