pkg audit false negatives
Remko Lodder
remko at FreeBSD.org
Fri Aug 11 15:14:33 UTC 2017
Hi Roger,
> On 11 Aug 2017, at 04:41, Roger Marquis <marquis at roble.com> wrote:
>
> In the past pkg-audit and even pkg-version have not been reliable tools
> where installed ports or packages have been subsequently discontinued or
> renamed. Today, however, I notice that dovecot2 is still showing up in
> the output of pkg-version despite the port having been renamed to
> dovecot (without the numeric suffix) several days ago.
Yes, there is a difference between renaming a port, and renaming the vuxml (which is the
database behind pkg audit etc.) entries. The entries are listed as ‘dovecot2-*’ there and
when renaming a port these entries should ideally be renamed too.
It seems that that was not under consideration at the name change moment(s).
I’ll try to look into this (starting by prodding the person(s) who did the rename) and asking them
to rename the entries in vuxml as well.
>
> Does this mean there has been a policy change? If so does it cover
> pkg-audit as well?
There had been no policy change. The application backend is just matching on what
was recorded at the moment it was added.
Thanks for the notification though, we should add that to the porters-handbook.
Cheers
REmko
>
> Roger
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freebsd.org/pipermail/freebsd-pkg/attachments/20170811/39f07f9a/attachment.sig>
More information about the freebsd-pkg
mailing list