On 2016-03-04, Jonathan Callen <jcal...@gentoo.org> wrote: > On 03/03/2016 04:00 PM, Grant Edwards wrote: > >> I'm sure I'm just being stupid, but I don't understand the lists of >> affected and unaffected version numbers in Gentoo security >> advisories. >> >> For example: >> >> Package dev-libs/openssl on all architectures Affected >> versions < 1.0.2f >> >> Unaffected versions >= 1.0.2f, revision >= 1.0.1r, revision >= >> 1.0.1s, revision >= 1.0.1t, revision >= 0.9.8z_p8, revision >= >> 0.9.8z_p9, revision >= 0.9.8z_p10, revision >= 0.9.8z_p11, >> revision >>> = 0.9.8z_p12, revision >= 0.9.8z_p13, revision >= 0.9.8z_p14, >> revision >= 0.9.8z_p15 >> >> If it's true that versions >= 0.9.8z_p8 are unaffected, why is >> there a need to list that versions >= 0.9.8z_p[9-15] are >> unaffected? Are <> relationships betwen version numbers within the >> 0.9.8z_pNNN seriels not transitive? > > The "revision >=" operator in GLSAs indicates "any -r# revision of the > version greater than or equal to the indicated revision", so this is > saying that 0.9.8z_p15 isn't affected, nor is 0.9.8z_p15-r1, but 1.0.0 > *is* affected.
Doh! After all these years, I just now realized that some of those expressions are about "version" and some are about "revision"! I'd always been reading them as the same thing. I knew it I had to missing something basic... Thanks for the clue! -- Grant Edwards grant.b.edwards Yow! I would like to at urinate in an OVULAR, gmail.com porcelain pool --