On 11/12/2016 17:44, Sevan / Venture37 wrote:
Hey John, On 12 November 2016 at 21:18, John Marino <netbsd%marino.st@localhost> wrote:Do you understand that pkg(8) displays vulnerability information directly? It's not a "duplicate", it's a summary. There's a difference. But that's only the case for FreeBSD Ports. For pkgsrc auditing you get none of that because it's not available in vuxml. tldr; it adds a LOT of value. This isn't really subjective.What it boils down to is this change potentially means the pkgsrc-security@ team has to change how they perform their role and you're calling it when you're not going to be the one having to sift through the mess of advisories to fish out information before embarking on some XML.
How have you come to this conclusion? Did I state that pkgsrc-security team has to do anything different?A cron script downloads the pkgsrc vulnerability database and converts it to an xml format every 6 hours. Nobody has to do anything. Why is this a problem?
The only thing I could ask the security team is to keep using ranges and not regex.
Do we not get a say in this? That's why I'm raising the point about "duplication", why am I copying the same information out from one place & adding it in to another If we're not adding anything? why not direct the user to the original source and get out of the way.
This is incorrect. The original vulnerability database is not downloaded anymore. That functionality part of the "pkg" format.
I am not sure how to say this any other way: *You* are not "copying the same information". *You* are not adding it anywhere. I'm not understanding where you think I'm imposing on your personally.
John --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus