pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: ANN: Availability of pkg(8)-capable pkgsrc

On 11/12/2016 14:53, Sevan / Venture37 wrote:
On 12 November 2016 at 20:16, John Marino <> wrote:
Well, that's exactly what is happening.  A cron job is converting the
(extremely sparse) netbsd vulnerabilities file and converting it to xml.
It's not human created.

Extremely sparse & very effective! :)

If by effective you mean it conveys the presence of a problem without actually describing it other than the broadest of terms, then yes, it's "very effective".

That being said, comparing the 2 systems is hardly fair.  It's a rickshaw
compared to a spacecraft.  If VuXML is demonstrably superior then it
shouldn't be rejected because of XML.  (aside: I've still never understood
the kick-reflex all XML is bad).

Demonstratively superior based on what criteria?

Any reasonable criteria. All you have to do is look at analogous entries in both systems.

That being said #2: The fact that freebsd does generate XML by hand
(validating it before publishing) is crazy.  There is no reason this can't
be in a proper database and generated by a script.  That's what FreeBSD
should be doing.

We currently don't have a DB dependency in either system, is that
really necessary?

I think you are confused here.

I am talking about the creation of an XML file. It doesn't add "a dependency" to pkgsrc.

You said you didn't want to edit XML by hand.
I basically agreed and said the vulnerability information should be in a database and a script should generate the XML. If you don't want to use a database then you can edit the XML by hand.

In any case, at this point, you don't have to do anything. The point is that pkg(8) uses vuxml natively and if you want it to be able to audit then you have to have it. I provided a bare-bares, barely effective version because that's all the pkgsrc vuln data allows.

The website generation feature is a convenient feature of the system
at the cost of duplication of content, manually performed by the
person adding entries. Time is precious!

hmm?  it's not duplication.  pkg(8) provides the URL. It should point to
something.  I spent like 10 hours on getting this all set up, I wouldn't
have done that for kicks.

If you look at the vuxml, the text carried is usually a duplicate of
what's published in the advisory. What value does that add? refer the
user straight to the source.

Do you understand that pkg(8) displays vulnerability information directly? It's not a "duplicate", it's a summary. There's a difference. But that's only the case for FreeBSD Ports. For pkgsrc auditing you get none of that because it's not available in vuxml.

tldr; it adds a LOT of value.

This isn't really subjective.

The listings are an aggregation of public information which is
applicable to the software we package. All we're doing is
"vulnerability management", the FreeBSD project is a CVE Numbering
Authority so in the grand scheme of things, it would be useful to
provide discovery information assuming they're allocating CVEs for
their ports tree. It's not really relevant when the packaging systems
discovered the issue otherwise. When the advisory was published is far
more important if you're trying to guage how long the information was
publicly available (the advisories usually carry that information
especially the CVEs).

There's a lot more standard sources than CVE, that's just one source.

I'm not trying to start a flame war. The FreeBSD vulnerability information is a lot more extensive. Most reasonable people would agree that extra information is useful. If you don't find it useful, other people still probably do.

The entire point of the original entry is that vulnerability detection is supported. It's as useful as the current method and significantly less useful (again, objectively) than the FreeBSD data files.


This email has been checked for viruses by Avast antivirus software.

Home | Main Index | Thread Index | Old Index