AUDITFILE default for ports users
Mark Felder
feld at feld.me
Sat Jul 18 22:31:15 UTC 2015
> On Jul 18, 2015, at 06:17, Ion-Mihai Tetcu <itetcu at FreeBSD.org> wrote:
>
> Hi,
>
>
> I have some machines on which, for various reasons, only ports are used.
>
> On upgrading ports, I keep running into the the fact that
> /var/db/pkg/vuln.xml is lagging behind /usr/ports/security/vuxml/vuln.xml
> which is updated via portsnap (and thus upgrading the vulnerable ports
> fails).
>
> So I'd like to propose defaulting to vuln.xml from ports if it is newer
> that the one from /var/db/pkg/ and AUDITFILE is not defined by the user.
>
> Tentative patch attached (I'm not happy with the != constuct).
>
I might be slightly lost here regarding what issue you're hitting. The vuln.xml database at /var/db/pkg/vuln.xml is updated by /usr/local/etc/periodic/security/410.pkg-audit on a nightly basis. If your database is out of date you can simply force a fetch of the database with `pkg audit -F`.
Sometimes I leave /usr/ports/security/vuxml/vuln.xml in an unfinished state from working on creating new entries and I am not sure I would want the ports tree to think it should use that database just because it has a newer timestamp.
I suppose I would have to think about this a bit more... I'm not sure. Having two sources of "truth" seems like a disaster waiting to happen. I'm curious to hear what the other ports-secteam members think.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20150718/20d8f1a6/attachment.bin>
More information about the freebsd-ports
mailing list