Re: [OpenIndiana-discuss] p7zip

2016-12-09 Thread Alan Coopersmith 
On 12/8/2016 10:07 PM, Jim Klimov wrote:
> On another hand, is there a particular benefit of patching older versions in 
> userland as cve fixes come out, rather than taking the newest release 
> (assumed to include all bugfixes known to authors)?

That is a very risky assumption to make - many package authors
don't release new versions just for a security fix, and sometimes
put out new versions even with known security fixes not yet
integrated.

If you're not prepared for handling patches to upstream sources as
a unfortunately common case, then you'll end up with big holes in
your security strategy.

-alan-

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] p7zip

2016-12-09 Thread Peter Tribble 
On Thu, Dec 8, 2016 at 7:05 PM, Tim Mooney  wrote:

> In regard to: Re: [OpenIndiana-discuss] p7zip, Alexander Pyhalov said
> (at...:
>
>
>> Hi. Yes, we missed this fix. I've just committed it.
>> Unfortunately, pkg info is quite useless in determining, which security
>> fixes are applied to the package.
>>
>
> Yeah, we talked about that issue last year around this time.  This
> post from Peter is from the middle of the long thread, but it captures
> one of the most interesting ideas:
>
> https://openindiana.org/pipermail/openindiana-discuss/2015-
> December/018370.html


That's one way to do it. My point there was really though that if you were
going to
add metadata to IPS, then someone had already done it and it would make
sense
to follow in their footsteps rather than reinvent the wheel.

The other option that I've been vaguely looking at is vuxml. That's a
separate
database (where the output from the database is just an xml file). Used by
FreeBSD,
and they have some tooling around it so you wouldn't be starting from
scratch. And
it may be possible to save a lot of work by importing their database.

In any event, tracking all this is a lot of work.

-- 
-Peter Tribble
http://www.petertribble.co.uk/ - http://ptribble.blogspot.com/
___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss