Jan-Oliver Wagner wrote: > Hello, > > I've spend some time with gather-packages-list.nasl and I think it could > be improved in some ways:
I've tried to minimize my time in there, and it shows :( > > * In case a "/etc/debian_version" is found on the target system, but > the contents is not matched, then a confusing note is issued > "System identifier unknown: "', uname, ' ..." > So, the uname. Allthough it is already clear that it is a Debian. > This could allow for short-cuts, avoiding unecessary comparisons. Yup. > > * Instead of e.g. > rls = ssh_cmd(socket:sock, cmd:"cat /etc/debian_version"); > wouldn't it be better to apply > rls = ssh_cmd(socket:sock, cmd:"[ -f /etc/debian_version ] && cat /etc/debian_version") > and then check for empty strings to avoid unnecessary comparisons? Yup. > > * For DSA's there quite formal elements like > For the testing (lenny) distribution these problems have been fixed in version 1.8.2.dfsg-3+lenny1. > For the unstable (sid) distribution these problems have been fixed in version 1.8.2.dfsg-4. > It would be absolutely great if these tests could be added as many people > use "almost-stable" releases already in production mode. > Sid-Support would be great as well. > > Any thoughts? This one is a bit tougher, and I'll have to admit we haven't taken a real close look at it. My concern would be to offer coverage of a release, but find out that the coverage is incomplete. Things like bugs that aren't fixed timely (because the distribution isn't considered production ready by the release team). Or bugs that are fixed, but advisories aren't issued (we could go straight to the repositories, but then wouldn't be able to determine the difference between a bug fix and a security fix). To be honest, I won't quibble with people using lenny (in fact, we do because it is _relatively_ stable and offered great virtualization support via kvm.) BUT BUT BUT - I don't feel guilty in not offering security checks for a release that the release team very clearly is indicating is not production quality and is not being maintained to production quality standards for security issues. Just my $0.02 worth. Thomas _______________________________________________ Openvas-plugins mailing list [email protected] http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins
