Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Newer
Older
100644 26 lines (20 sloc) 1.183 kB
27ecac9 @jschauma Initial import of sources from Yahoo!
jschauma authored
1 Known bugs:
2 -----------
3
4 Patchlevels are not dealt with correctly. That is, if, for example, the
5 package listed in the vulnerabilities file is marked as "foo-1.2pl3" and a
6 package with a tiny version such as "foo-1.2.1" is installed, it may falsely
7 match. That is, comparison of "foo-1.2pl3" and "foo-1.2.1" claims that the
8 patchlevel version is higher. (The converse scenario also holds.)
9
10 This is a restriction of the used distutils.versions.LooseVersion
11 implementation. Presumably, the assumption is that a piece of software
12 wouldn't mix patchlevels with tiny versions (?). Note that the expensive
13 shell-out to parse_version(1) wouldn't solve this problem either: that program
14 operates on the same assumption.
15
16 ----
17
18 Deeply nested brace expansions are not correctly dealt with. The
19 braceExpansion function is able to handle simply nested expansions such as
20 "foo-{,bar{-baz,-bla}}", but deeper levels of nesting may not yield the
21 expected results.
22
23 For the purposes of the vulnerability list, this seems acceptable for the time
24 being, as deeply nested version strings are not found. An alternative (albeit
25 very expensive) would be to shell out to zsh to do brace expansion.
Something went wrong with that request. Please try again.