From owner-freebsd-vuxml@FreeBSD.ORG  Wed Oct 20 00:32:15 2004
Return-Path: <owner-freebsd-vuxml@FreeBSD.ORG>
Delivered-To: freebsd-vuxml@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 5810816A4D0; Wed, 20 Oct 2004 00:32:15 +0000 (GMT)
Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 2101643D1D; Wed, 20 Oct 2004 00:32:15 +0000 (GMT)
	(envelope-from dan@langille.org)
Received: from xeon (xeon.unixathome.org [192.168.0.18])
	by bast.unixathome.org (Postfix) with ESMTP id 233F23D37;
	Tue, 19 Oct 2004 20:32:14 -0400 (EDT)
Date: Tue, 19 Oct 2004 20:32:13 -0400 (EDT)
From: Dan Langille <dan@langille.org>
X-X-Sender: dan@xeon.unixathome.org
To: "Jacques A. Vidrine" <nectar@FreeBSD.org>
In-Reply-To: <20041019213329.GB45466@madman.celabo.org>
Message-ID: <20041019202849.Q99899@xeon.unixathome.org>
References: <20041017201037.V55729@xeon.unixathome.org>
	<20041019163753.U74644@xeon.unixathome.org>
	<20041019213329.GB45466@madman.celabo.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: freebsd-vuxml@freebsd.org
Subject: Re: can portaudit report a fixed date/version?
X-BeenThere: freebsd-vuxml@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Documenting security issues in VuXML <freebsd-vuxml.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-vuxml>,
	<mailto:freebsd-vuxml-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-vuxml>
List-Post: <mailto:freebsd-vuxml@freebsd.org>
List-Help: <mailto:freebsd-vuxml-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-vuxml>,
	<mailto:freebsd-vuxml-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Oct 2004 00:32:15 -0000

On Tue, 19 Oct 2004, Jacques A. Vidrine wrote:

> > It would save many admins quite a bit of time.
>
> How so?  (serious question)

I don't have time just now to answer the other questions but I can answer
this one.

Portaudit tells me that port xyz is vulnerable.  But there there is no
fix.  How do I know when there is a fix?  Only by checking FreshPorts, cvs
logs, the ports tree, trying to install the port, portupgrade, etc.  I
could do this daily for days without a fix.

Instead, if portaudit reported that port xyz is vulernable and that there
is a fix (if there actually is a fix), then all I need to do is monitor my
daily security email that automagically includes the output of portaudit.
I can then instantly know that it's time to run portupgrade on port xyz.

-- 
Dan Langille - http://www.langille.org/
BSDCan - The Technical BSD Conference: http://www.bsdcan.org/