From owner-freebsd-ports@freebsd.org Sun Jul 19 01:35:50 2015 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 590EF999E63; Sun, 19 Jul 2015 01:35:50 +0000 (UTC) (envelope-from itetcu@FreeBSD.org) Received: from mx.tetcu.info (mx.tetcu.info [217.19.15.179]) by mx1.freebsd.org (Postfix) with ESMTP id 19B5E18D8; Sun, 19 Jul 2015 01:35:49 +0000 (UTC) (envelope-from itetcu@FreeBSD.org) Received: from it.tim.tetcu.info (unknown [84.232.221.7]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mx.tetcu.info (Postfix) with ESMTPSA id 008A330BEFD; Sun, 19 Jul 2015 04:35:47 +0300 (EEST) Date: Sun, 19 Jul 2015 04:35:47 +0300 From: Ion-Mihai Tetcu To: Mark Felder Cc: ports-secteam@freebsd.org, freebsd-ports@freebsd.org Subject: Re: AUDITFILE default for ports users Message-ID: <20150719043547.4dd7c3b6@it.tim.tetcu.info> In-Reply-To: <379A9DE0-1D84-44F2-914F-3985FFA7320E@feld.me> References: <20150718141713.5153018d@it.tim.tetcu.info> <379A9DE0-1D84-44F2-914F-3985FFA7320E@feld.me> X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.27; amd64-portbld-freebsd10.1) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Jul 2015 01:35:50 -0000 On Sat, 18 Jul 2015 17:30:52 -0500 Mark Felder wrote: > > > On Jul 18, 2015, at 06:17, Ion-Mihai Tetcu > > wrote: > > > > Hi, > > > > > > I have some machines on which, for various reasons, only ports are > > used. > > > > On upgrading ports, I keep running into the the fact that > > /var/db/pkg/vuln.xml is lagging > > behind /usr/ports/security/vuxml/vuln.xml which is updated via > > portsnap (and thus upgrading the vulnerable ports fails). > > > > So I'd like to propose defaulting to vuln.xml from ports if it is > > newer that the one from /var/db/pkg/ and AUDITFILE is not defined > > by the user. > > > > Tentative patch attached (I'm not happy with the != constuct). > > > > I might be slightly lost here regarding what issue you're hitting. Described above :) I'm mostly an old-time ports user (as opposed to packages user). > The vuln.xml database at /var/db/pkg/vuln.xml is updated > by /usr/local/etc/periodic/security/410.pkg-audit on a nightly basis. Yes, and if a fix for an know vuln was just committed, updating the ports tree and upgrading the port will get the system patched faster that waiting for the package to be built on the cluster. A ports user would portsnap the ports, which will get a more up-to-date vuln.xml that the one that was fetched by nightly cron. > If your database is out of date you can simply force a fetch of the > database with `pkg audit -F`. Yes, or define AUDITFILE to be the one from ports in make.conf. However both require manual action; I'm just proposing a (I think sane) default. > Sometimes I leave /usr/ports/security/vuxml/vuln.xml in an unfinished > state from working on creating new entries One could argue you should do devel on an svn co'ed copy of the tree, not the system one :) so I don't regard this as an valid argument. > and I am not sure I would want the ports tree to think it should use > that database just because it has a newer timestamp. I don't know a cheaper way to check if it's more up-to-date. > I suppose I would have to think about this a bit more... I'm not > sure. Having two sources of "truth" seems like a disaster waiting to > happen. True. But except if http://vuxml.freebsd.org/freebsd/vuln.xml.bz2 update is triggered by each commit it will lag behind the (master) version in the ports tree. How often is updated this file fetched by `pkg audit -F`? At lest for now, one can't really mix ports and packages on a daily bases; a ports user would tend to ignore pkg features not directly related to locally installed package management (delete/which/info/...). > I'm curious to hear what the other ports-secteam members think. -- IOnut - Un^d^dregistered ;) FreeBSD "user" "Intellectual Property" is nowhere near as valuable as "Intellect" FreeBSD committer -> itetcu@FreeBSD.org, PGP Key ID 29597D20