FYI: new port security/portaudit-db
Oliver Eikemeier
eikemeier at fillmore-labs.com
Sun Jun 13 09:16:20 GMT 2004
Dear porters and port users,
I've added a new port security/portaudit-db that complements
security/portaudit for users
that have a current ports tree and want to generate the portaudit
database themselves,
possibly distributing it over their local network. This will save you
the traffic downloading
information that is already on your local machine and avoid the lag that
is currently
associated with the mirroring process.
Basically you just need to install security/portaudit-db and do
`packaudit' every time after
your ports tree has been updated. Try `portaudit -d', it should show the
current date
afterwards.
This port also features a MOVED style file (database/portaudit.txt)
where UUIDs for vulnerabilities
can be allocated before they are researched thoroughly and moved to the
VuXML database. When you fix
a vulnerability in one of your ports, please add at least an entry to
this file, so that this fact
doesn't go unnoticed. Of course a full VuXML entry is preferred.
I take this announcement as an opportunity to make a plea to all port
maintainers:
* please stick with *one* PKGNAMESUFFIX (possibly using a combined one
like -sasl-client)
* please *do not* change the structure of the packages version number
according to included components.
Lets take for example port `myport' with has optional components c1 and
c2. This *should not*
result in the following package names:
port-v
port-suf1-v+v1
port-suf2-v+v2
port-suf1-suf2-v+v1+v2
because I need 2^(number of components) entries to catch all possible
combinations, for example the
recent vulnerability in www/apache13-modssl would need 32 entries in the
vulnerability database,
which seems a little high. A net effect is that many combinations are
not recognized, and users remain
unprotected even though they assume the opposite. If you need to record
the included components, please
do this in the pkg-message, which is displayed with pkg_info -D.
Again:
* a port should *not* change its version numbering based on included
components
* restrain yourself to *one* suffix in the package name (and use a dash
to seperate it from the main ports name)
Thanks
-Oliver
More information about the freebsd-ports
mailing list