On Tue, May 23, 2006 at 04:51:06PM -0400, Chris Gianelloni wrote: > On Tue, 2006-05-23 at 16:22 -0400, Ned Ludd wrote: > > And now per arch breakdowns. > > http://gentooexperimental.org/~ferringb/reports/arch-vulnerabilities/ > > No offense, but that isn't exactly useful in its current form. For > example, x86 shows *all* of the packages, even ones where it has a > non-vulnerable version stable. > I guess a breakdown of which > architectures still do not have a version *higher* than the ones listed > by the GLSA stable would be necessary instead.
You're ignoring the fact that ebuilds can and do specify version ranges that result in portage using something other then the highest- the report is a listing of "these pkgs are vulnerable according to glsas", the arch-vulns is just a view of that with stable/unstable for that arch collapsed into one. In other words... having a version stable that isn't affected by the glsa, good and grand, but the ebuilds sitting in the tree are *still* vulnerable. Splitting off a stable vs unstable is doable, but the intention of that report is to spell out which packages in the tree are vulnerable, thus in need of getting the boot. ~harring
pgpUqFmbXD6aX.pgp
Description: PGP signature
