Subject: Re: VuXML and pkgsrc
To: Adrian Portelli <>
From: Daniel Carosone <>
List: tech-security
Date: 05/04/2004 21:17:25
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, May 04, 2004 at 10:25:48AM +0100, Adrian Portelli wrote:
> Some other *BSD's have started using VuXML ( for
> their ports/packages related security issues.
> "VuXML is the Vulnerability and eXposure Markup Language, an XML
> application for documenting security issues in a software package
> collection such as the FreeBSD Ports Collection or OpenBSD Ports &
> Packages Collection"
> Is it worth looking at this for NetBSD pkgsrc issues ?

I like XML, as a general rule, but for what use would VuXML be valuable:

 - does it add anything important to the current format for the
   pkg-vulnerabilities list?  I guess possibly not, without checking
   the references.

 - is it something we should write a separate tool, to import other
   project's XML files and look for vulnerabilities?  (and perhaps
   likewise publish in turn)

The best benefit for XML in the general case is "i don't have to write
a parser", which is fine as far as it goes, but the present format is
parsed by existing tools easily anyway.

If it offers us, as pkgsrc developers, easier maintenance and faster
notification of problems with 3rd party code, that's of value and
interest, certainly.

I'll take a look at VuXML separately as s-o, because I've been wanting
something more structured as a source format for project Security

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.4 (NetBSD)