AUDITFILE default for ports users

Mark Felder feld at
Sat Jul 18 22:31:15 UTC 2015

> On Jul 18, 2015, at 06:17, Ion-Mihai Tetcu <itetcu at> wrote:
> Hi,
> I have some machines on which, for various reasons, only ports are used.
> On upgrading ports, I keep running into the the fact that
> /var/db/pkg/vuln.xml is lagging behind /usr/ports/security/vuxml/vuln.xml
> which is updated via portsnap (and thus upgrading the vulnerable ports
> fails).
> So I'd like to propose defaulting to vuln.xml from ports if it is newer
> that the one from /var/db/pkg/ and AUDITFILE is not defined by the user.
> Tentative patch attached (I'm not happy with the != constuct).

I might be slightly lost here regarding what issue you're hitting. The vuln.xml database at /var/db/pkg/vuln.xml is updated by /usr/local/etc/periodic/security/410.pkg-audit on a nightly basis. If your database is out of date you can simply force a fetch of the database with `pkg audit -F`.

Sometimes I leave /usr/ports/security/vuxml/vuln.xml in an unfinished state from working on creating new entries and I am not sure I would want the ports tree to think it should use that database just because it has a newer timestamp.

I suppose I would have to think about this a bit more... I'm not sure. Having two sources of "truth" seems like a disaster waiting to happen. I'm curious to hear what the other ports-secteam members think.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the freebsd-ports mailing list