aboutsummaryrefslogtreecommitdiffstats
path: root/chapter03
diff options
context:
space:
mode:
Diffstat (limited to 'chapter03')
-rw-r--r--chapter03/packages.xml24
1 files changed, 15 insertions, 9 deletions
diff --git a/chapter03/packages.xml b/chapter03/packages.xml
index 5b1976f47..aa927e60a 100644
--- a/chapter03/packages.xml
+++ b/chapter03/packages.xml
@@ -10,6 +10,21 @@
<title>All Packages</title>
+ <note>
+ <para>Read the <ulink url='&secadv;'>security advisories</ulink>
+ before downloading packages to figure out if a newer version of any
+ package should be used to avoid security vulnerabilities.</para>
+
+ <para>The upstreams may remove old releases, especially when these
+ releases contain a security vulnerability. If one URL below is not
+ reachable, you should read the security advisories first to figure out
+ if a newer version (with the vulnerability fixed) should be used. If
+ not, try to download the removed package from a mirror. Although it's
+ possible to download an old release from a mirror even if this release
+ has been removed because of a vulnerability, it's not recommended to
+ use a release known to be vulnerable for building your system.</para>
+ </note>
+
<para>Download or otherwise obtain the following packages:</para>
<variablelist role="materials">
@@ -173,15 +188,6 @@
<para>Home page: <ulink url="&expat-home;"/></para>
<para>Download: <ulink url="&expat-url;"/></para>
<para>MD5 sum: <literal>&expat-md5;</literal></para>
- <note>
- <para>The upstream may remove tarballs of the specific releases of
- <application>Expat</application> when these releases contain a
- security vulnerability. You should refer to
- <ulink url='&lfs-root;lfs/advisories/'>LFS security advisories</ulink>
- to figure out which version (with the vulnerability fixed) should
- be used. You may download the vulnerable version from a mirror,
- but it's not recommended.</para>
- </note>
</listitem>
</varlistentry>