Subject: Re: Dante; what exactly are security mechanisms of pkgsrc?
To: None <>
From: Otto Hilska <>
List: tech-security
Date: 07/12/2002 16:34:59
On Fri, Jul 12, 2002 at 03:13:05PM +0200, Ing.,BcA. Ivan Dolezal wrote:
> [Dante-specific]
> Could you give me some hint where to check Dante security?
You can have a look at the source code. If there're no known
vulnerabilities, probably you're safe for a while. Every piece of
software MAY have security problems.
> Is version 1.1.9 considered to be secure? Are all the latter versions 
> just some cosmetic improvements? 
I'm sure there's some sort of changelog available.
> I don't really follow the sentence: "Note that we no longer issue 
> advisories for thirdparty software packages (pkgsrc). Instead, an 
> automated mechanism to audit installed binary package is provided in  
> pkgsrc/security/audit-packages." I have no idea, what is behind "an 
> automated mechanism".

What about trying to install pkgsrc/security/audit-packages/ first and
then asking? I find it somewhat self-explanatory, especially its MESSAGE

It means that no security advisories are published in for
3rd party software. Instead, they're kept in the audit-packages
vulnerability database.

> - a vulnerabilities database used for an automated mechanism
>   wasn't loaded with the up-to-date data from the right place,
>   because nobody/nothing felt commited to do it

Well, this is open source. Of course it COULD be that no-one cares to
update something, but usually when someone sees that our audit-packages
database is missing an advisory, he/she should try to find time to
do a simple 'send-pr'.

Otto Hilska,