FYI: new port security/portaudit-db

Oliver Eikemeier eikemeier at fillmore-labs.com
Sun Jun 13 09:16:20 GMT 2004 

Dear porters and port users,

I've added a new port security/portaudit-db that complements 
security/portaudit for users
that have a current ports tree and want to generate the portaudit 
database themselves,
possibly distributing it over their local network. This will save you 
the traffic downloading
information that is already on your local machine and avoid the lag that 
is currently
associated with the mirroring process.

Basically you just need to install security/portaudit-db and do 
`packaudit' every time after
your ports tree has been updated. Try `portaudit -d', it should show the 
current date
afterwards.

This port also features a MOVED style file (database/portaudit.txt) 
where UUIDs for vulnerabilities
can be allocated before they are researched thoroughly and moved to the 
VuXML database. When you fix
a vulnerability in one of your ports, please add at least an entry to 
this file, so that this fact
doesn't go unnoticed. Of course a full VuXML entry is preferred.


I take this announcement as an opportunity to make a plea to all port 
maintainers:

* please stick with *one* PKGNAMESUFFIX (possibly using a combined one 
like -sasl-client)

* please *do not* change the structure of the packages version number 
according to included components.

Lets take for example port `myport' with has optional components c1 and 
c2. This *should not*
result in the following package names:

   port-v
   port-suf1-v+v1
   port-suf2-v+v2
   port-suf1-suf2-v+v1+v2

because I need 2^(number of components) entries to catch all possible 
combinations, for example the
recent vulnerability in www/apache13-modssl would need 32 entries in the 
vulnerability database,
which seems a little high. A net effect is that many combinations are 
not recognized, and users remain
unprotected even though they assume the opposite. If you need to record 
the included components, please
do this in the pkg-message, which is displayed with pkg_info -D.

Again:

* a port should *not* change its version numbering based on included 
components

* restrain yourself to *one* suffix in the package name (and use a dash 
to seperate it from the main ports name)

Thanks
-Oliver

More information about the freebsd-ports mailing list