Hi, today there was a new entry added to the vuxml file including all outdated ports. Where is the value in this Entry. The Information is already in the fact that the port has been removed.
In this file should only are real vulnerabilities and not maybe vulnerable not existing ports. Right now this breaks my system to find vulnerable ports on my systems because all systems with legacy code show up with this entry. Please only add real vulnerabilities to this file. Maybe pkg audit should be print a warning (suppressible by a commandline switch or a whiltelist in the config file) when discontinued ports are installed. Putting all well known discontinued ports in a vuxml entry isn't a clean way to do it and creates a falls impression of security because all the not so well known discontinued ports are not in this list and users might depend on this warning. Regards Estartu -- ---------------------------------------------------------- Gerhard Schmidt | E-Mail: schm...@ze.tum.de Technische Universität München | Jabber: esta...@ze.tum.de WWW & Online Services | Tel: +49 89 289-25270 | PGP-PublicKey Fax: +49 89 289-25257 | on request
signature.asc
Description: OpenPGP digital signature
