ports/126853: ports-mgmt/portaudit: speed up audit of installed packages

Mon Oct 6 11:07:55 UTC 2008

On Monday 06 October 2008 12:28:48 Eygene Ryabinkin wrote:
> Mel, good day.
>
> Mon, Oct 06, 2008 at 11:24:54AM +0200, Mel wrote:
> > On Monday 06 October 2008 07:23:37 Eygene Ryabinkin wrote:
> > > But downloading the INDEX file from the central server seemed to be the
> > > best way, since it almost always gives one the latest port versions, so
> > > I had implemented this in a first place.
> >
> > I've been following this, but I don't agree that (port|pkg_)audit should
> > do this, from the very perspective you're writing this program from:
>
> The download is done not by the portaudit itself, but by the helper
> script, portaudit-checknew.
>
> > On Sunday 28 September 2008 11:49:18 Eygene Ryabinkin wrote:
> > > 4. I feel that it is Unix-way to do the things: create small utilities
> > >    that do their (small) job in a proper fashion.
> >
> > Instead, it can provide installed-pkgname<seperator>pkgorigin output.
> > Then, any utility can check whether a new version is available, using
> > what ever source it finds relevant.
> >
> > For example, it is completely irrelevant if a new version is available on
> > the FreeBSD servers, when your machine uses a buildserver in a local
> > network. For those machines it's relevant whether their build server has
> > a new version and one can automatically upgrade if one so desires.
> > Similarly, if your /usr/ports is ahead of the FreeBSD's INDEX.bz2, you're
> > again reporting false information.
>
> I hear you, but it seems to me that I should just equip
> portaudit-checknew with the other sources of a new ports information and
> provide tunables for their location (on-disk path, URL, etc).  I am
> planning to do this, but first I want to know if these patches will be
> viable for the project: feeding these into the /dev/null or just using
> them locally, but equipping with a lot of functionality, is not what I
> really want ;))
>
> > It's also quite trivial to provide this availibility information in a
> > daily security script, for the "majority of cases"
>
> Didn't get it, sorry.  Could you, please, elaborate a bit?

Once you have the origin of the port, you can:
- make -C $PORTSDIR/$origin -V PKGNAME
- get the matching origin(s) out of ${INDEXDIR}/${INDEXFILE}
- get the matching origin(s) out of a downloaded INDEX.bz2

This covers the majority of cases.

What portaudit lacks, is providing the origin along with the installed package 
name in easily parseable format. So, a central server wanting to query all 
the machines for vulnerable packages, now has to do an extra step of going 
into $PKG_DBDIR/$pkgname/+CONTENTS and getting the @comment ORIGIN: line, 
while (port|pkg_)audit has just been there.

This would be something I'd expect:
ssh clientmachine "/usr/sbin/pkg_audit -l"
foo-1.2,3:misc/foo
bar-4.5_6:devel/bar
...

-- 
Mel