On Mon, Apr 23, 2001 at 10:27:22PM -0700, Rich Morin wrote:
> I have a partly-baked idea regarding the security advisories that
> I see on freebsd-announce. While I applaud the intent of these
> notices, I wonder if some sort of automation might not make them a
> bit more useful.
>
> Let's say we encoded the advisories in XML and put them up for HTTP
> access, encoding the version characterization information (e.g.,
> Affects) in some mechanically-usable fashion. Then, a Perl script
> on the local machine could look up the advisories, run the tests,
> and report the results, all without compromising the privacy of the
> local system.
Heh..I just sent off an email to someone on -stable suggesting this as
a project. If you're interested you and he should work together;
Roman Shterenzon <[EMAIL PROTECTED]> was also looking at the project a
while back but seems to have been sidetracked.
My take on the problem is that XML is overkill and will only lead to
tears: the problem we're trying to solve here is describing a range of
affected package versions, which IMO can be done easily enough by just
sticking a regex or glob in the advisory header and matching on that.
pkg_version may be a logical place to stick this functionality since
it already has code for parsing version numbers.
Kris
PGP signature
