On 2016-03-04, Jonathan Callen <jcal...@gentoo.org> wrote:
> On 03/03/2016 04:00 PM, Grant Edwards wrote:
>
>> I'm sure I'm just being stupid, but I don't understand the lists of
>> affected and unaffected version numbers in Gentoo security
>> advisories.
>>
>> For example:
>>
>> Package dev-libs/openssl on all architectures Affected
>> versions < 1.0.2f
>>
>> Unaffected versions >= 1.0.2f, revision >= 1.0.1r, revision >=
>> 1.0.1s, revision >= 1.0.1t, revision >= 0.9.8z_p8, revision >=
>> 0.9.8z_p9, revision >= 0.9.8z_p10, revision >= 0.9.8z_p11,
>> revision
>>> = 0.9.8z_p12, revision >= 0.9.8z_p13, revision >= 0.9.8z_p14,
>> revision >= 0.9.8z_p15
>>
>> If it's true that versions >= 0.9.8z_p8 are unaffected, why is
>> there a need to list that versions >= 0.9.8z_p[9-15] are
>> unaffected? Are <> relationships betwen version numbers within the
>> 0.9.8z_pNNN seriels not transitive?
>
> The "revision >=" operator in GLSAs indicates "any -r# revision of the
> version greater than or equal to the indicated revision", so this is
> saying that 0.9.8z_p15 isn't affected, nor is 0.9.8z_p15-r1, but 1.0.0
> *is* affected.
Doh! After all these years, I just now realized that some of those
expressions are about "version" and some are about "revision"! I'd
always been reading them as the same thing.
I knew it I had to missing something basic...
Thanks for the clue!
--
Grant Edwards grant.b.edwards Yow! I would like to
at urinate in an OVULAR,
gmail.com porcelain pool --
