portaudit won't let me build some ports

Michael Gmelin freebsd at grem.de
Sat Apr 13 12:04:30 UTC 2013

On Sat, 13 Apr 2013 01:36:26 -0600 (MDT)
Mike Brown <mike at skew.org> wrote:

> I'm posting this overdue followup mostly for the benefit of anyone
> searching for this info, and for the maintainers of bsd.port.mk and
> portaudit.
> On Jun 6, 2012, I wrote:
> > What's going on with portaudit?
> > It always prints 7 useless lines of "done"
> Why "/var/db/portaudit/auditfile.tbz: done" shows up at all:
>   My environment contains BZIP2=-v.
>   I put that in there ages ago, because I like to see the extra output
>   when compressing files, and I grew tired of typing it by hand.
>   Unfortunately, it also affects decompression output.
> Why it shows up many times in a row:
>   portaudit decompresses its database file that many times as part of
> its normal operation. Perhaps there's some room for optimization
> there. /usr/ports/Mk/bsd.port.mk just decompresses it once, to a temp
> file.
> > and now it has started stopping me from building some ports, due to
> > "known vulnerabilities", even though there are no vulnerabilities
> > in the database. 
> I believe this is a combination of problems with portaudit and
> bsd.port.mk.
> bsd.port.mk saves portaudit's output (list of vulnerabilities in the
> current package) to a variable, and interprets it as having said
> vulnerabilities are present if it contains the string "X problem(s)
> found.", where X is any string of digits, including "0".
>             vlist=`${LOCALBASE}/sbin/portaudit -X 14 "${PKGNAME}" \
>                 2>&1 | grep -vE '^[0-9]+ problem\(s\) found.' \
>                 || true`; \
> With BZIP2=-v in the environment, the output of portaudit will
> contain all the bzip2 "done" messages, and then, if there are no
> vulnerabilities, it might say "0 problem(s) found."
> Surely "0 problem(s) found." is not cause for stopping a build. The
> regex in bsd.port.mk should probably be '^[1-9][0-9]+ problem\(s\)
> found.'
> I'm not sure if it's possible to avoid picking up the verbose bzip2
> output. portaudit could pass -q to BZIP2, but that might suppress
> desirable error messages. I leave that for you guys to worry about. :)
> > Last time I ran portmaster -a, I had to completely remove portaudit
> > just so I could get everything to build. Now that I've reinstalled
> > it, it's still causing me grief.
> Mental note: a better option is to define DISABLE_VULNERABILITIES
> before building any ports. See ports(7) man page.
> Thanks for reading.
> _______________________________________________
> freebsd-ports at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ports
> To unsubscribe, send any mail to
> "freebsd-ports-unsubscribe at freebsd.org"

Hi Mike,

I submitted a bug report for a related problem about a year ago:


In that case the unrelated output line is caused by downloading the
auditfile (the workaround I suggested is very simple and only fixes
that particular problem).


Michael Gmelin

More information about the freebsd-ports mailing list