portaudit won't let me build some ports

Mike Brown mike at skew.org
Sat Apr 13 07:36:28 UTC 2013

I'm posting this overdue followup mostly for the benefit of anyone searching 
for this info, and for the maintainers of bsd.port.mk and portaudit.

On Jun 6, 2012, I wrote:
> What's going on with portaudit?
> It always prints 7 useless lines of "done"

Why "/var/db/portaudit/auditfile.tbz: done" shows up at all:

  My environment contains BZIP2=-v.

  I put that in there ages ago, because I like to see the extra output
  when compressing files, and I grew tired of typing it by hand.
  Unfortunately, it also affects decompression output.

Why it shows up many times in a row:

  portaudit decompresses its database file that many times as part of its 
  normal operation. Perhaps there's some room for optimization there.
  /usr/ports/Mk/bsd.port.mk just decompresses it once, to a temp file.

> and now it has started stopping me from building some ports, due to "known 
> vulnerabilities", even though there are no vulnerabilities in the database. 

I believe this is a combination of problems with portaudit and bsd.port.mk.

bsd.port.mk saves portaudit's output (list of vulnerabilities in the current 
package) to a variable, and interprets it as having said vulnerabilities are 
present if it contains the string "X problem(s) found.", where X is any string 
of digits, including "0".

            vlist=`${LOCALBASE}/sbin/portaudit -X 14 "${PKGNAME}" \
                2>&1 | grep -vE '^[0-9]+ problem\(s\) found.' \
                || true`; \

With BZIP2=-v in the environment, the output of portaudit will contain all the 
bzip2 "done" messages, and then, if there are no vulnerabilities, it might say 
"0 problem(s) found."

Surely "0 problem(s) found." is not cause for stopping a build. The regex in 
bsd.port.mk should probably be '^[1-9][0-9]+ problem\(s\) found.'

I'm not sure if it's possible to avoid picking up the verbose bzip2 output. 
portaudit could pass -q to BZIP2, but that might suppress desirable error 
messages. I leave that for you guys to worry about. :)

> Last time I ran portmaster -a, I had to completely remove portaudit just so 
> I could get everything to build. Now that I've reinstalled it, it's still 
> causing me grief.

Mental note: a better option is to define DISABLE_VULNERABILITIES before 
building any ports. See ports(7) man page.

Thanks for reading.

More information about the freebsd-ports mailing list