On Tue, Apr 24, 2001 at 03:22:05PM -0400, Andrew R. Reiter wrote:
> On Tue, 24 Apr 2001, Kris Kennaway wrote:
>
> >
> > pkg_version may be a logical place to stick this functionality since
> > it already has code for parsing version numbers.
>
> Ya... I think it would be wise to somehow include validating of the
> security advisories too when doing these checks. Im not sure how this
> tool will know which packages are vulnerable (Im assuming a config file of
> sorts), but it would be a smart thing to include some pgp key validation
> of each of the advisory vulns the tool is looking for.
Each of the security advisories is signed as they go out, so if the
"affected versions" regexp is in the signed copy, they can just check
the signature using whichever PGP utility the script knows about,
which may be installed.
This is another reason why having a third-party modifying the advisory
to mark it up into XML is a bad idea; you lose the integrity
protection from the PGP signature.
Kris
PGP signature
