[OpenIndiana-discuss] p7zip

[Alexander Pyhalov]

Tim Mooney писал 08.12.2016 22:05:
> In regard to: Re: [OpenIndiana-discuss] p7zip, Alexander Pyhalov said 
> (at...:
> 
>> Jim Klimov писал 04.12.2016 20:11:
>>> 4 декабря 2016 г. 16:16:57 CET, cpforum <cpforum at orange.fr> пишет:
>>>> Hi,
>>>> 
>>>> It seems that CVE-2016-9296 (2016111) affect p7zip Hipster release
>>>> (15.14.1-2016.0.0.3)
>> 
>> Hi. Yes, we missed this fix. I've just committed it.
>> Unfortunately, pkg info is quite useless in determining, which 
>> security fixes are applied to the package.
> 
> Yeah, we talked about that issue last year around this time.  This
> post from Peter is from the middle of the long thread, but it captures
> one of the most interesting ideas:
> 
> 	https://openindiana.org/pipermail/openindiana-discuss/2015-December/018370.html

Hi.
Yes, the idea is really interesting.
But there are many small issues to be solved.

For example, I bump package version. A month later I found out that this 
updated version fixed some vulnerability. Should I update security 
metadata package?
What about CVE, which we miss? I mean, one should constantly monitor 
security lists for new issues. What about old CVEs?
So, absence of CVE metadata in this new security package will likely 
mean 'unknown', not 'vulnerable'.
Another, more technical issue is that we sometimes can wrongly predict 
published package version. So, should we fix such wrongly added 
metadata?
If we fix it, will two facts appear in the security metadata package?
So, before implementing something similar we should analyze all pros and 
cons for a while.

Another question is if we should collect this metadata in one dedicated 
package or in package which fixed the issue? I think separate package is 
better as this allows us to mark CVEs to be fixed-in-past.

Should it be IPS metadata at all? Perhaps, it could be just RSS 
extracted from some git tags?


---
System Administrator of Southern Federal University Computer Center