Working of "pkg audit <unofficially updated port>"

Jason Unovitch jason.unovitch at
Thu Oct 8 02:26:21 UTC 2015

On Wed, Oct 07, 2015 at 04:02:25PM -1000, parv at wrote:
> (Sent to -questions@ on Oct 3 but hadn't got any reply, so sending
> to @ports now. Also, situation below is before www/firefox was
> updated to 41.0.)
> I want to know if running "pkg audit" makes any sense for a port
> installed that has not been updated officially yet. Also, is it
> possible to supplement the vuxml catalog for such ports installed?
> Firefox 39 or 40 had been installed from ports. I got tired of
> seeing package being vulnerable on every ports tree update process
> that rebuilds "security/vuxml". As the "www/firefox" port has not
> been updated yet, so I fetched source of firefox 41.0.1; updated
> distinfo; installed (after rebuilding databases/sqlite3 with DBSTAT
> option & moving out "files/patch-bug702179" out of "files").
> Now I see vulnerability warnings going back to 2004, which are
> just useless & rather amusing. At least the installed firefox is not
> vulnerable any more (yet).
> Apparently per pkg-version
>   # pkg version -t 41.0.1 41.0,1
>   <

The PORTEPOCH here (the ,1) will always make the second version newer than
the first.  If you do any local updates then keep the PORTEPOCH and it
would work as intended.  If you do a local update, don't forget the most
import step... the patch to Bugzilla of course.

More information about the freebsd-ports mailing list