[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CVE check for Octave dependencies
From: |
Pascal Dupuis |
Subject: |
Re: CVE check for Octave dependencies |
Date: |
Thu, 19 Dec 2013 10:43:46 +0100 |
My original purpose was to list Octave main dependencies and check for
recent CVE annoncements. Currently two packages are concerned, cURL
and graphicsMagick; see
http://wiki.octave.org/Building
I agree that if some port has some dependency which has issues
reported in CVE, this has to be flagged. Now this task becomes
formidable as the first-level tree contains further ramifications,
some of them are platform-dependent. So
1) having the list of dependencies and CVE announces is A Good Thing
2) having some tool checking per-platform the whole dependency tree
against CVE would be better
The first proposal indeed requires to check manually CVE, then decide
wether or not Octave is concerned. The second proposal automatize this
task.
Regards
Pascal
2013/12/19 Reza Housseini <address@hidden>:
>
>
>
> On Thu, Dec 19, 2013 at 10:24 AM, c. <address@hidden> wrote:
>>
>>
>> On 19 Dec 2013, at 08:54, Reza Housseini <address@hidden> wrote:
>>
>> > I think dependencies of dependencies shouldn't be on the list (will be
>> > resolved when user is installing the dependencies).
>>
>> They will be resolved automatically if using a package manager like
>> macports, but I know at least one core developer who stronly opposes
>> using a package manager to build Octave binaries on OSX. In the latter
>> case knowing all build- and run-time dependencies is useful info.
>>
>> In any case here is a (much shorter) list including direct dependencies
>> only:
>>
>> $ sudo port installed and depof:octave-next
>> +atlas+gcc47-x11+no_x11-aquaterm-metis-wxwidgets+qt and active | sed
>> 's/(active)//g'
>> Password:
>> The following ports are currently installed:
>> arpack @3.1.3_0+atlas+gcc47
>> atlas @3.10.1_5+gcc47
>> bison @2.7.1_0
>> curl @7.33.0_0+ssl
>> epstool @3.08_6
>> fftw-3 @3.3.3_5+gcc47
>> fftw-3-single @3.3.3_5+gcc47
>> flex @2.5.37_1
>> gawk @4.1.0_0
>> ghostscript @9.10_1+no_x11
>> glpk @4.48_0
>> gnuplot @4.6.4_1+luaterm+pangocairo+qt
>> gperf @3.0.4_2
>> GraphicsMagick @1.3.18_0+q8
>> grep @2.14_0
>> gsed @4.2.2_0
>> hdf5-18 @1.8.11_0+cxx+gcc47
>> less @458_0
>> libgcc @4.8.2_0
>> ncurses @5.9_2
>> pcre @8.33_0
>> perl5 @5.12.4_0+perl5_12
>> pstoedit @3.61_3
>> qhull @2012.1_2
>> qrupdate @1.1.2_2+atlas+gcc47
>> qscintilla @2.7.2_0
>> readline @6.2.000_0
>> SuiteSparse @4.2.1_0+atlas
>> zlib @1.2.8_0
>>
>> Notice that this list applies when building from a released tarball,
>> building from mercurial will require more stuff (at least latex to build the
>> docs).
>> c.
>
>
>> Notice that this list applies when building from a released tarball,
>> building from mercurial will require more stuff (at least latex to build the
>> docs).
>
> So I suggest we provide a tarball list, a diff to the mercurial list and
> eventually a diff to the full dependencies?
>
- CVE check for Octave dependencies, CdeMills, 2013/12/18
- Re: CVE check for Octave dependencies, Reza Housseini, 2013/12/19
- Re: CVE check for Octave dependencies, c., 2013/12/19
- Re: CVE check for Octave dependencies, John W. Eaton, 2013/12/19
- Re: CVE check for Octave dependencies, Reza Housseini, 2013/12/19
- Re: CVE check for Octave dependencies, c., 2013/12/19
- Re: CVE check for Octave dependencies, Reza Housseini, 2013/12/19
- Re: CVE check for Octave dependencies,
Pascal Dupuis <=
- Octave build dependencies wiki, Mike Miller, 2013/12/20
- Re: Octave build dependencies wiki, Reza Housseini, 2013/12/20
- Re: Octave build dependencies wiki, Andreas Weber, 2013/12/22
- Re: Octave build dependencies wiki, CdeMills, 2013/12/22
- Re: Octave build dependencies wiki, Carnë Draug, 2013/12/22
- Re: Octave build dependencies wiki, Reza Housseini, 2013/12/23
- Re: Octave build dependencies wiki, CdeMills, 2013/12/23
- Re: Octave build dependencies wiki, Reza Housseini, 2013/12/23
- Re: Octave build dependencies wiki, Carnë Draug, 2013/12/23
- Re: CVE check for Octave dependencies, c., 2013/12/19