pkg audit false negatives

[Remko Lodder]

> On 11 Aug 2017, at 23:47, Roger Marquis <marquis at roble.com> wrote:
> 
>> It had been resolved for dovecot (it will now match both variants, since people might still have
>> the old variant of the port installed) and there is a new paragraph added to the porters handbook
>> which tells that we need to have a look at the vuxml entries.
> 
> Thanks Remko.

No problemo :)

> 
>> Hope this solves your issue,
> 
> It may for renamed ports/pkgs but doesn't appear to for deprecations.
> Once ports are dropped they do not show up in pkg-audit despite having
> been installed via pkg and/or ports.  That's the false negative that
> appears to still be a problem.

Ports / pkgs that get renamed are now changed and/or added in VuXML as well.
So the old variant and the new variant of the name’s would both be listed in pkg audit.

pkg audit parses VuXML, it also does a check on what is locally registered in it’s database.

For example if you have a/b installed. And that has a marking in VuXML : <package>b</package>
then it would hit on the package you have. If a/b gets removed for some reason, and it is still in VuXML
and you have it locally registered. Then it would be still be matched (or should).

If an entry is removed from the ports/pkg tree’s and it is also removed from VuXML, then yes, it will
no longer get marked in your local installation. That’s a bit of a chicken and egg basically. Although
I do not recall that it ever happened that ports that are no longer there, are removed from VuXML as
well. (And I follow that since 2004).

Do you have a more concrete example that we can dive into to see what is going on/going wrong?

Cheers
Remko


> 
> Roger

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freebsd.org/pipermail/freebsd-pkg/attachments/20170811/545b0214/attachment.sig>