diff options
| -rw-r--r-- | chapter03/packages.xml | 24 |
1 files changed, 15 insertions, 9 deletions
diff --git a/chapter03/packages.xml b/chapter03/packages.xml index 5b1976f47..aa927e60a 100644 --- a/chapter03/packages.xml +++ b/chapter03/packages.xml @@ -10,6 +10,21 @@ <title>All Packages</title> + <note> + <para>Read the <ulink url='&secadv;'>security advisories</ulink> + before downloading packages to figure out if a newer version of any + package should be used to avoid security vulnerabilities.</para> + + <para>The upstreams may remove old releases, especially when these + releases contain a security vulnerability. If one URL below is not + reachable, you should read the security advisories first to figure out + if a newer version (with the vulnerability fixed) should be used. If + not, try to download the removed package from a mirror. Although it's + possible to download an old release from a mirror even if this release + has been removed because of a vulnerability, it's not recommended to + use a release known to be vulnerable for building your system.</para> + </note> + <para>Download or otherwise obtain the following packages:</para> <variablelist role="materials"> @@ -173,15 +188,6 @@ <para>Home page: <ulink url="&expat-home;"/></para> <para>Download: <ulink url="&expat-url;"/></para> <para>MD5 sum: <literal>&expat-md5;</literal></para> - <note> - <para>The upstream may remove tarballs of the specific releases of - <application>Expat</application> when these releases contain a - security vulnerability. You should refer to - <ulink url='&lfs-root;lfs/advisories/'>LFS security advisories</ulink> - to figure out which version (with the vulnerability fixed) should - be used. You may download the vulnerable version from a mirror, - but it's not recommended.</para> - </note> </listitem> </varlistentry> |