Subject: Re: Dante; what exactly are security mechanisms of pkgsrc?
To: None <firstname.lastname@example.org>
From: Otto Hilska <email@example.com>
Date: 07/12/2002 16:34:59
On Fri, Jul 12, 2002 at 03:13:05PM +0200, Ing.,BcA. Ivan Dolezal wrote:
> Could you give me some hint where to check Dante security?
You can have a look at the source code. If there're no known
vulnerabilities, probably you're safe for a while. Every piece of
software MAY have security problems.
> Is version 1.1.9 considered to be secure? Are all the latter versions
> just some cosmetic improvements?
I'm sure there's some sort of changelog available.
> I don't really follow the sentence: "Note that we no longer issue
> advisories for thirdparty software packages (pkgsrc). Instead, an
> automated mechanism to audit installed binary package is provided in
> pkgsrc/security/audit-packages." I have no idea, what is behind "an
> automated mechanism".
What about trying to install pkgsrc/security/audit-packages/ first and
then asking? I find it somewhat self-explanatory, especially its MESSAGE
It means that no security advisories are published in www.netbsd.org for
3rd party software. Instead, they're kept in the audit-packages
> - a vulnerabilities database used for an automated mechanism
> wasn't loaded with the up-to-date data from the right place,
> because nobody/nothing felt commited to do it
Well, this is open source. Of course it COULD be that no-one cares to
update something, but usually when someone sees that our audit-packages
database is missing an advisory, he/she should try to find time to
do a simple 'send-pr'.
Otto Hilska, firstname.lastname@example.org