From owner-freebsd-questions@FreeBSD.ORG Thu Nov 18 18:27:30 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CE54016A4CE; Thu, 18 Nov 2004 18:27:30 +0000 (GMT) Received: from ns1.tiadon.com (SMTP.tiadon.com [69.27.132.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8898343D31; Thu, 18 Nov 2004 18:27:30 +0000 (GMT) (envelope-from kdk@daleco.biz) Received: from [69.27.131.0] ([69.27.131.0]) by ns1.tiadon.com with Microsoft SMTPSVC(6.0.3790.211); Thu, 18 Nov 2004 12:30:48 -0600 Message-ID: <419CE99A.40404@daleco.biz> Date: Thu, 18 Nov 2004 12:27:38 -0600 From: "Kevin D. Kinsey, DaleCo, S.P." User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.2) Gecko/20041023 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "Dan Mahoney, System Admin" References: <20041117150247.Q16295@prime.gushi.org> In-Reply-To: <20041117150247.Q16295@prime.gushi.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 18 Nov 2004 18:30:48.0930 (UTC) FILETIME=[B9D12420:01C4CD9C] cc: questions@freebsd.org cc: doc@freebsd.org Subject: Re: ports vulnerabilities X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Nov 2004 18:27:31 -0000 Dan Mahoney, System Admin wrote: > I had heard a bit about the new "vulnerability check" in > FreeBSD's ports. I tried reading /usr/ports/updating and saw something > like: > > > Description: A new vulnerabilities database has been added to the > ports system in order to keep more accurate, up-to-date, track of > security vulnerabilities. The ports system now knows how to query > that database and dynamically prevents the installation of vulnerable > ports. > > I had to do some more digging around on various googles to find out > that in order to USE this ability, I had to install the portaudit port. > This seems like a useful feature, but I'm curious: Why isn't this in > the base system? I can't answer that, as I'm nobody special. The functionality is rather new, and I'm assuming that either they wanted more "modularity" in keeping with some other recent trends, or else they plan to put it in base but haven't yet, or, quite possibly, it's not yet the Best Thing(tm) to do for some reason that seems unclear to me (and maybe to you as well...) > > I tried to install a port which had a conflict (ImageMagick) > but I didn't feel the vulnerability was significant enough to > warrant waiting for a new port to be created. I looked in > the ports man page for an override environment variable, > but "vulnerability check" isn't even mentioned there. > Could this please get stuck into the manpages? > > -Dan Mahoney I'm cc-ing to doc@ ... we'll see if anyone wants to comment. [ Umm, yeah ... they're great guys, but busy. We'll see....] You might also check with ports@ ... or just file a PR and see what comes of it. It'l also quite possible that spending some time in the ports@ list archives might turn up some of the info your're looking for.... Also, what manpage would you *expect* to see this information in? You mention ports(7), but someone already thinks "this manpage is too long" ;-) Let discussion begin? Kevin Kinsey DaleCo, S.P.