Re: CVE check for Octave dependencies

[Pascal Dupuis]

My original purpose was to list Octave main dependencies and check for
recent CVE annoncements. Currently two packages are concerned, cURL
and graphicsMagick; see
http://wiki.octave.org/Building

I agree that if some port has some dependency which has issues
reported in CVE, this has to be flagged. Now this task becomes
formidable as the first-level tree contains further ramifications,
some of them are platform-dependent. So
1) having the list of dependencies and CVE announces is A Good Thing
2) having some tool checking per-platform the whole dependency tree
against CVE would be better

The first proposal indeed requires to check manually CVE, then decide
wether or not Octave is concerned. The second proposal automatize this
task.

Regards

Pascal

2013/12/19 Reza Housseini <address@hidden>:
>
>
>
> On Thu, Dec 19, 2013 at 10:24 AM, c. <address@hidden> wrote:
>>
>>
>> On 19 Dec 2013, at 08:54, Reza Housseini <address@hidden> wrote:
>>
>> > I think dependencies of dependencies shouldn't be on the list (will be
>> > resolved when user is installing the dependencies).
>>
>> They will be resolved automatically if using a package manager like
>> macports, but I know at least one core developer who stronly opposes
>> using a package manager to build Octave binaries on OSX. In the latter
>> case knowing all build- and run-time dependencies is useful info.
>>
>> In any case here is a (much shorter) list including direct dependencies
>> only:
>>
>> $ sudo port installed and depof:octave-next
>> +atlas+gcc47-x11+no_x11-aquaterm-metis-wxwidgets+qt and active | sed
>> 's/(active)//g'
>> Password:
>> The following ports are currently installed:
>>   arpack @3.1.3_0+atlas+gcc47
>>   atlas @3.10.1_5+gcc47
>>   bison @2.7.1_0
>>   curl @7.33.0_0+ssl
>>   epstool @3.08_6
>>   fftw-3 @3.3.3_5+gcc47
>>   fftw-3-single @3.3.3_5+gcc47
>>   flex @2.5.37_1
>>   gawk @4.1.0_0
>>   ghostscript @9.10_1+no_x11
>>   glpk @4.48_0
>>   gnuplot @4.6.4_1+luaterm+pangocairo+qt
>>   gperf @3.0.4_2
>>   GraphicsMagick @1.3.18_0+q8
>>   grep @2.14_0
>>   gsed @4.2.2_0
>>   hdf5-18 @1.8.11_0+cxx+gcc47
>>   less @458_0
>>   libgcc @4.8.2_0
>>   ncurses @5.9_2
>>   pcre @8.33_0
>>   perl5 @5.12.4_0+perl5_12
>>   pstoedit @3.61_3
>>   qhull @2012.1_2
>>   qrupdate @1.1.2_2+atlas+gcc47
>>   qscintilla @2.7.2_0
>>   readline @6.2.000_0
>>   SuiteSparse @4.2.1_0+atlas
>>   zlib @1.2.8_0
>>
>> Notice that this list applies when building from a released tarball,
>> building from mercurial will require more stuff (at least latex to build the
>> docs).
>> c.
>
>
>> Notice that this list applies when building from a released tarball,
>> building from mercurial will require more stuff (at least latex to build the
>> docs).
>
> So I suggest we provide a tarball list, a diff to the mercurial list and
> eventually a diff to the full dependencies?
>