Ports EOL vuxml entry
Roger Marquis
marquis at roble.com
Mon Aug 22 13:54:28 UTC 2016
> today there was a new entry added to the vuxml file including all
> outdated ports. Where is the value in this Entry.
This is good news for many of us Gerhard, who depend on the output of
'pkg audit' for vulnerability information.
> In this file should only are real vulnerabilities and not maybe
> vulnerable not existing ports.
You raise two issues here, A) what constitutes a 'real' vulnerability
and B) how else would you be warned of probable vulnerabilities (due to
unmaintained and unaudited code). There is 'pkg version' of course but
few sites use this flag and fewer still use it for vulnerability
information.
> Right now this breaks my system to find vulnerable ports on my systems
> because all systems with legacy code show up with this entry.
Can you post details of how it breaks your system?
> Maybe pkg audit should be print a warning (suppressible by a commandline
> switch or a whiltelist in the config file) when discontinued ports are
> installed.
A command line switch to ignore deprecated, discontinued and otherwise
unadited ports is an excellent idea though I don't think there will be
much demand for it. A default 'warn if deprecated' will no doubt be the
modal usage and benefit the larger community (who have until now been
mislead by the output of 'pkg audit').
Thanks for the heads-up.
Roger
More information about the freebsd-security
mailing list