ports/126853: ports-mgmt/portaudit: speed up audit of installed packages

Sun Sep 28 11:14:34 UTC 2008

Eygene Ryabinkin wrote:
> Roman, good day.
> 
> Sat, Sep 27, 2008 at 08:18:08PM +0400, Roman Kurakin wrote:
> 
>>Have you also posted this to ports@?
> 
> 
> No, forgot to do it.  CC'ing ports@
> 
> Thanks!
> 
> The original posting to hackers@ goes below.  It will be double-posted
> to the bug-followup@ -- sorry for this.
> 
> 
>>Eygene Ryabinkin wrote:
>>
>>>Good day.
>>>
>>>A while ago I had created the new utility that serves as VuXML
>>>filter for the installed packages:
>>>  http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/126853
>>>
>>>My primary intention was to speed up the process of auditing the
>>>vulnerable ports: I needed to run portaudit checks with Nagios and to
>>>avoid large timeouts.
>>>
>>>The new utility is called pkg_audit and it serves as a simple text
>>>filter: on input it takes the full VuXML feed and on output it puts
>>>VuXML entries that matches ports that are installed in the system with
>>>port version specification substituted with the actual port versions.
>>>
>>>No harm is done to the actual poartudit -- if pkg_audit is missing, old
>>>code path is activated.
>>>
>>>If someone is interested and will be able to test -- I am all ears.
> 
> 
> Additional clarifications inspired by the off-line talk with rik@:
> I could take another route and add this functionality to the pkg_info.
> I took another approach for the following reasons.
> 
> 1. pkg_info's option list is already quite big -- around 32 options
>    and switches.
> 
> 2. It is easier to test for the presence of the new tool (pkg_audit)
>    and use it, instead of checking the support for the new option in
>    pkg_info.
> 
> 3. I see no options in pkg_info that can be naturally extended to
>    absorbe the new functionality.  The closest is '-E', but pkg_audit
>    needs to read VuXML entries, choose ones that are present in the system
>    and output the found VuXML entries with version templates substituted
>    with the real entries, so pkg_audit is filter-like utility.  In my
>    opinion, such extension of pkg_info's "-E" will be very unnatural.
> 
> 4. I feel that it is Unix-way to do the things: create small utilities
>    that do their (small) job in a proper fashion.  Moreover, since the
>    majority of a code sits in the pkg_install's library, there is a very
>    slight code duplication, if any.

Is there any possibility to cooperate portaudit / pkg_audit with 
pkg_version to show vulnerable package with information if newer (not 
vulnerable) package (or port) version is available for upgrade to?

If I read nightly security e-mail with for example 4 vulnerable 
packages, then I need to log in to server and manualy try, if newer 
(fixed) packages are available. It seems not so hard to check output of 
`pkg_version -vIL =` and compare both versions (installed and available) 
with portaudit in some shellscript, I didn't start to write it yet ;).

Miroslav Lachman