[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: binary pkg "variants" ? [was: Re: Package split or package options?]
On Mon, Mar 31, 2014 at 4:06 AM, Anthony Mallet
> On Sunday, at 13:54, Tim Zingelman wrote:
> | I am concerned about how this will affect our ability to correctly
> | produce patterns for the pkg-vulnerabilities file (used by
> | audit-packages.)
> | We too often have a hard time getting all the patterns right, and
> | unless I misunderstand how this change to package names and new
> | matching will work this will make things significantly harder.
> | Perhaps an example will help me understand... If a package has 6
> | possible non-mutually exclusive options, 2 of which are default and
> | there is a vulnerability in the base package (with or without options)
> | how do we specify a pattern? To be more concrete lets say the
> | vulnerability is found in versions of pkgname starting with version 4
> | and is fixed in pkgname-4.3.2nb1, and lets call the options aaa, bbb,
> | ccc, ddd, eee & fff, with bbb & fff being default options. Prior to
> | these proposed changes we would use the pattern pkgname>=4<4.3.2nb1
> | I appreciate any assistance you can provide in helping me understand
> | the fine details here.
> Well, if the options don't affect the vulnerability, pkgname>=4<4.3.2nb1 would
> work just fine and match all packages in the version range whatever their
> But it the vulnerability is, say, only in option aaa (no matter if it's a
> default option or not), then the vulnerable packages would be
> And if the vulnerability is instead present with all options but option bbb,
> then then the vulnerable packages would be
> ('!' representing 'not', but it could be ^ as well or whatever char that is
> deemed appropriate)
Thanks, that makes it more clear. I guess this is at worst break even
and at best an improvement for vulnerability matching.
I appreciate the clarification.
Main Index |
Thread Index |