Xin, Wed, Nov 19, 2008 at 03:46:07PM -0800, Xin LI wrote: > > Thanks for handling this. But I have a question: what is the general > > policy about versions that are to be documented within the 'range' > > clauses? You had changed version specification to '1.1.4', but it was > > never been in the FreeBSD ports tree. So, should we specify only > > existing port versions or we can specify vendor-specific versions as > > well, provided that the specification will be the same from the point of > > view of the port version evolution? > > The '1.1.4' was chosen because that the official release notes said so, > and it is the exact minimum version of the port, if it ever got into the > tree. Personally I think it's a bad idea to cover versions that we are > known not to be vulnerable, for instance, the user might be running > 1.1.4 or 1.1.5 with their local patched versions and does not want to > upgrade, making false positives would actually hurt the credibility of > vuxml.
OK, I expected such answer. But then, what you'll say after reading the history of ports/128698: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/128698 I understand that the mentioned PR is the another case and there were no vulnerable version in the official ports tree. But two PRs are a bit inconsistent in their treatment of the locally patched versions, so I am just curious -- may be there should be some general understanding about this? Sorry for being so chatty, but I am just trying to understand the policy and best practices for VuXML. Thanks! -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ #
pgpcETG5jcnSN.pgp
Description: PGP signature
