[gentoo-user] Re: I don't understand version numbers in Gentoo security advisories
On 2016-03-04, Jonathan Callenwrote: > On 03/03/2016 04:00 PM, Grant Edwards wrote: > >> I'm sure I'm just being stupid, but I don't understand the lists of >> affected and unaffected version numbers in Gentoo security >> advisories. >> >> For example: >> >> Package dev-libs/openssl on all architectures Affected >> versions< 1.0.2f >> >> Unaffected versions >= 1.0.2f, revision >= 1.0.1r, revision >= >> 1.0.1s, revision >= 1.0.1t, revision >= 0.9.8z_p8, revision >= >> 0.9.8z_p9, revision >= 0.9.8z_p10, revision >= 0.9.8z_p11, >> revision >>> = 0.9.8z_p12, revision >= 0.9.8z_p13, revision >= 0.9.8z_p14, >> revision >= 0.9.8z_p15 >> >> If it's true that versions >= 0.9.8z_p8 are unaffected, why is >> there a need to list that versions >= 0.9.8z_p[9-15] are >> unaffected? Are <> relationships betwen version numbers within the >> 0.9.8z_pNNN seriels not transitive? > > The "revision >=" operator in GLSAs indicates "any -r# revision of the > version greater than or equal to the indicated revision", so this is > saying that 0.9.8z_p15 isn't affected, nor is 0.9.8z_p15-r1, but 1.0.0 > *is* affected. Doh! After all these years, I just now realized that some of those expressions are about "version" and some are about "revision"! I'd always been reading them as the same thing. I knew it I had to missing something basic... Thanks for the clue! -- Grant Edwards grant.b.edwardsYow! I would like to at urinate in an OVULAR, gmail.comporcelain pool --
[gentoo-user] Re: I don't understand version numbers in Gentoo security advisories
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 03/03/2016 04:00 PM, Grant Edwards wrote: > I'm sure I'm just being stupid, but I don't understand the lists of > affected and unaffected version numbers in Gentoo security > advisories. > > For example: > > Package dev-libs/openssl on all architectures Affected > versions< 1.0.2f > > Unaffected versions >= 1.0.2f, revision >= 1.0.1r, revision >= > 1.0.1s, revision >= 1.0.1t, revision >= 0.9.8z_p8, revision >= > 0.9.8z_p9, revision >= 0.9.8z_p10, revision >= 0.9.8z_p11, > revision >> = 0.9.8z_p12, revision >= 0.9.8z_p13, revision >= 0.9.8z_p14, > revision >= 0.9.8z_p15 > > If it's true that versions >= 0.9.8z_p8 are unaffected, why is > there a need to list that versions >= 0.9.8z_p[9-15] are > unaffected? Are <> relationships betwen version numbers within the > 0.9.8z_pNNN seriels not transitive? > The "revision >=" operator in GLSAs indicates "any -r# revision of the version greater than or equal to the indicated revision", so this is saying that 0.9.8z_p15 isn't affected, nor is 0.9.8z_p15-r1, but 1.0.0 *is* affected. Jonathan -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCgAGBQJW2NLFAAoJEEIQbvYRB3mg0bcQAJ1q+HjadMnxf+c/8JwF0w/U qQOi7GqaJr2k4zq3I50MxltlsPxyT+wlmq08bEk0nBZ59r/lRhTqsqZtYJVLHyXH EvwXIq5K7MHvdgNoAmW6LXPxoVc3vQssMKWq5ypY6ZOqteGl7gSsv+M445L9vyMp 7dq63FyxRWWTWY0Wp3og0Do7HBaJTpNjVxjCeXGwOTx4LGYY+ef1Gec+AJbCiIfE FbQhcagVGPQqolH8vc9Fj/Erw9JwX6kw8KewGv6fJC/7O2cI2urcp6Lc1PBfDEfW to46VJ0qXw3ZO432QLH63iAKmi2BDJbhRUnvv9h14O4Ac+dJEsvMVwElrDA3kZt9 yo9sEFzNMTXELi5chFB4XgDJ47h4/bvP08SQ/OukFwaoH1oSSrWGhLpAmb9VfJOE VvzIhXtL/Fm/6nuAKYfZOvV4ad/XhPqRYud6VkpklcPBZEj5ABR8af16oOYqJiZX 9fn6FtGzH9vOF89Q13BDobhU4dCgxGwzPrSxVFVvGFmTivaysb/MOzGon/W+5r8K DxdlDhuix/lSWaJv7BZSrBfnxj2D51COP1sj4tCwSAZMucv0QbqQtM+XC8ShtAVF mwNuhGS2NEusEqF7Y40AQKuEfugkSpTukHXqWE7dbBp5C7b8mYTey5Ctuq9GKG3+ 51fTQlzO8R6KfzJObyaQ =1iq3 -END PGP SIGNATURE-