From owner-freebsd-stable Tue Apr 24 12:52:25 2001 Delivered-To: freebsd-stable@freebsd.org Received: from mail.tgd.net (rand.tgd.net [64.81.67.117]) by hub.freebsd.org (Postfix) with SMTP id 9CF3637B422 for ; Tue, 24 Apr 2001 12:52:20 -0700 (PDT) (envelope-from sean@mailhost.tgd.net) Received: (qmail 9731 invoked by uid 1001); 24 Apr 2001 19:52:16 -0000 Date: Tue, 24 Apr 2001 12:52:16 -0700 From: Sean Chittenden To: Kris Kennaway Cc: Calvin NG , Sean Chittenden , Jeff Kletsky , freebsd-stable@FreeBSD.ORG, bmah@FreeBSD.ORG Subject: Re: pkg_version perl hacker project Message-ID: <20010424125216.L19530@rand.tgd.net> References: <20010423231827.A19530@rand.tgd.net> <20010424142340.E5216@brel.com> <20010424014833.B19530@rand.tgd.net> <20010424120052.H89156@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="dzI2QqkSBOAresgT" Content-Disposition: inline In-Reply-To: <20010424120052.H89156@xor.obsecurity.org>; from "kris@obsecurity.org" on Tue, Apr 24, 2001 at = 12:00:52PM X-PGP-Key: 0x1EDDFAAD X-PGP-Fingerprint: C665 A17F 9A56 286C 5CFB 1DEA 9F4F 5CEF 1EDD FAAD X-Web-Homepage: http://sean.chittenden.org/ Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --dzI2QqkSBOAresgT Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 24, 2001 at 12:00:52PM -0700, Kris Kennaway wrote: > At least it was a learning experience, right? :-) Yeah... I still want to learn more about the ports skeleton files though, it seems like there could be a chunk of work done on standardizing the formats of Makefiles, but that's my opinion after about an hour of investigation. > If you're still in pkg_* perl script hacking mode, we could use a > utility which does the following: Alright, I'll see if I can whip something out over the next few days. What kind of advisories do you want to support? I'm assuming BSD and that's it... maybe CERT. > Parses a set of ports security advisories, extracts a list of > vulnerable package versions described in some form (regex/glob > expression/etc) and checks for any vulnerable packages installed. Why not setup a mirrorable, online index of all ports that are forbidden. Have it run over HTTP so that proxy support should be cake, and ... rest's history. > We'd need to agree on a standard form to use in the advisories to aid > in parsing. Yup! > This could be done as an extension to pkg_version, since much of the > code you will need to manage versions is already there, and it's a > logical extension of that program's function. I'll probably do a stand-alone that depends on pkg_version, then merge the two. > NetBSD have a port called audit-packages which does something similar, > but not quite the same as the above (last I checked) -- it might still > be useful as a starting point. >=20 > Interested? Yeah, why not. With a tool like this, it'd make security apart of an SA's daily routine. Tonight I'll dive through my archived mail and look for a few advisories to model after. Is there a central clearing house for all advisories, or some kind of database that can be queried? Are advisories distributed with a system? I haven't seen them in my cvsup logs, but this wouldn't be the first thing I've glanced over and not noticed (ex: pkg_version). -sc --=20 Sean Chittenden --dzI2QqkSBOAresgT Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: Sean Chittenden iEYEARECAAYFAjrl2XAACgkQn09c7x7d+q1V4gCdGXZoBDmvp75MCU0oA8DQsMBB tRsAoJbFfevc+oUgkxLrEQ0tUIB7PBTP =o3nY -----END PGP SIGNATURE----- --dzI2QqkSBOAresgT-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message