AUDITFILE default for ports users

Ion-Mihai Tetcu itetcu at
Sun Jul 19 01:35:50 UTC 2015

On Sat, 18 Jul 2015 17:30:52 -0500
Mark Felder <feld at> wrote:

> > On Jul 18, 2015, at 06:17, Ion-Mihai Tetcu <itetcu at>
> > wrote:
> > 
> > Hi,
> > 
> > 
> > I have some machines on which, for various reasons, only ports are
> > used.
> > 
> > On upgrading ports, I keep running into the the fact that
> > /var/db/pkg/vuln.xml is lagging
> > behind /usr/ports/security/vuxml/vuln.xml which is updated via
> > portsnap (and thus upgrading the vulnerable ports fails).
> > 
> > So I'd like to propose defaulting to vuln.xml from ports if it is
> > newer that the one from /var/db/pkg/ and AUDITFILE is not defined
> > by the user.
> > 
> > Tentative patch attached (I'm not happy with the != constuct).
> > 
> I might be slightly lost here regarding what issue you're hitting.

Described above :)
I'm mostly an old-time ports user (as opposed to packages user).

> The vuln.xml database at /var/db/pkg/vuln.xml is updated
> by /usr/local/etc/periodic/security/410.pkg-audit on a nightly basis.

Yes, and if a fix for an know vuln was just committed, updating the
ports tree and upgrading the port will get the system patched faster
that waiting for the package to be built on the cluster. A ports user
would portsnap the ports, which will get a more up-to-date vuln.xml
that the one that was fetched by nightly cron.

> If your database is out of date you can simply force a fetch of the
> database with `pkg audit -F`.

Yes, or define AUDITFILE to be the one from ports in make.conf.
However both require manual action; I'm just proposing a (I think sane)

> Sometimes I leave /usr/ports/security/vuxml/vuln.xml in an unfinished
> state from working on creating new entries

One could argue you should do devel on an svn co'ed copy of the tree,
not the system one :) so I don't regard this as an valid argument.

> and I am not sure I would want the ports tree to think it should use
> that database just because it has a newer timestamp.

I don't know a cheaper way to check if it's more up-to-date.

> I suppose I would have to think about this a bit more... I'm not
> sure. Having two sources of "truth" seems like a disaster waiting to
> happen.

True. But except if
update is triggered by each commit it will lag behind the (master)
version in the ports tree.
How often is updated this file fetched by `pkg audit -F`?

At lest for now, one can't really mix ports and packages on a daily
bases; a ports user would tend to ignore pkg features not directly
related to locally installed package management (delete/which/info/...).

>  I'm curious to hear what the other ports-secteam members think.

IOnut - Un^d^dregistered ;) FreeBSD "user"
  "Intellectual Property" is   nowhere near as valuable   as "Intellect"
FreeBSD committer -> itetcu at, PGP Key ID 29597D20

More information about the freebsd-ports mailing list