AUDITFILE default for ports users

Mark Felder feld at feld.me
Sun Jul 19 01:45:54 UTC 2015 


On Sat, Jul 18, 2015, at 20:35, Ion-Mihai Tetcu wrote:
> On Sat, 18 Jul 2015 17:30:52 -0500
> Mark Felder <feld at feld.me> wrote:
> 
> > 
> > > On Jul 18, 2015, at 06:17, Ion-Mihai Tetcu <itetcu at FreeBSD.org>
> > > wrote:
> > > 
> > > Hi,
> > > 
> > > 
> > > I have some machines on which, for various reasons, only ports are
> > > used.
> > > 
> > > On upgrading ports, I keep running into the the fact that
> > > /var/db/pkg/vuln.xml is lagging
> > > behind /usr/ports/security/vuxml/vuln.xml which is updated via
> > > portsnap (and thus upgrading the vulnerable ports fails).
> > > 
> > > So I'd like to propose defaulting to vuln.xml from ports if it is
> > > newer that the one from /var/db/pkg/ and AUDITFILE is not defined
> > > by the user.
> > > 
> > > Tentative patch attached (I'm not happy with the != constuct).
> > > 
> > 
> > I might be slightly lost here regarding what issue you're hitting.
> 
> Described above :)
> I'm mostly an old-time ports user (as opposed to packages user).
> 
> > The vuln.xml database at /var/db/pkg/vuln.xml is updated
> > by /usr/local/etc/periodic/security/410.pkg-audit on a nightly basis.
> 
> Yes, and if a fix for an know vuln was just committed, updating the
> ports tree and upgrading the port will get the system patched faster
> that waiting for the package to be built on the cluster. A ports user
> would portsnap the ports, which will get a more up-to-date vuln.xml
> that the one that was fetched by nightly cron.
> 
> > If your database is out of date you can simply force a fetch of the
> > database with `pkg audit -F`.
> 
> Yes, or define AUDITFILE to be the one from ports in make.conf.
> However both require manual action; I'm just proposing a (I think sane)
> default.
> 
> > Sometimes I leave /usr/ports/security/vuxml/vuln.xml in an unfinished
> > state from working on creating new entries
> 
> One could argue you should do devel on an svn co'ed copy of the tree,
> not the system one :) so I don't regard this as an valid argument.
> 

I do development on /usr/ports which is a readonly checkout and used by
poudriere, and then have another ports tree I apply patches to
(~/svn/freebsd/ports) which is used for committing. :-)

> > and I am not sure I would want the ports tree to think it should use
> > that database just because it has a newer timestamp.
> 
> I don't know a cheaper way to check if it's more up-to-date.
> 
> > I suppose I would have to think about this a bit more... I'm not
> > sure. Having two sources of "truth" seems like a disaster waiting to
> > happen.
> 
> True. But except if http://vuxml.freebsd.org/freebsd/vuln.xml.bz2
> update is triggered by each commit it will lag behind the (master)
> version in the ports tree.
> How often is updated this file fetched by `pkg audit -F`?
> 

It's re-generated by cron every 5 minutes.

> At lest for now, one can't really mix ports and packages on a daily
> bases; a ports user would tend to ignore pkg features not directly
> related to locally installed package management (delete/which/info/...).
> 
> >  I'm curious to hear what the other ports-secteam members think.
> 
>

More information about the freebsd-ports mailing list