Date: Mon, 6 Oct 2008 13:07:51 +0200 From: Mel <fbsd.hackers@rachie.is-a-geek.net> To: freebsd-hackers@freebsd.org Cc: freebsd-ports@freebsd.org, Eygene Ryabinkin <rea-fbsd@codelabs.ru>, Miroslav Lachman <000.fbsd@quip.cz>, bug-followup@freebsd.org Subject: Re: ports/126853: ports-mgmt/portaudit: speed up audit of installed packages Message-ID: <200810061307.51977.fbsd.hackers@rachie.is-a-geek.net> In-Reply-To: <fBeVL1niDy9KJaVLxcjTW9Xe1Wo@De93eau6bBqwYjK6U3wF/jjVMVE> References: <WGReTVL6CLts/44OKi4qLEsAGHs@jm/Q2DKg1djxmpGNf45V%2BWpjPIE> <200810061124.55209.fbsd.hackers@rachie.is-a-geek.net> <fBeVL1niDy9KJaVLxcjTW9Xe1Wo@De93eau6bBqwYjK6U3wF/jjVMVE>
next in thread | previous in thread | raw e-mail | index | archive | help
On Monday 06 October 2008 12:28:48 Eygene Ryabinkin wrote: > Mel, good day. > > Mon, Oct 06, 2008 at 11:24:54AM +0200, Mel wrote: > > On Monday 06 October 2008 07:23:37 Eygene Ryabinkin wrote: > > > But downloading the INDEX file from the central server seemed to be the > > > best way, since it almost always gives one the latest port versions, so > > > I had implemented this in a first place. > > > > I've been following this, but I don't agree that (port|pkg_)audit should > > do this, from the very perspective you're writing this program from: > > The download is done not by the portaudit itself, but by the helper > script, portaudit-checknew. > > > On Sunday 28 September 2008 11:49:18 Eygene Ryabinkin wrote: > > > 4. I feel that it is Unix-way to do the things: create small utilities > > > that do their (small) job in a proper fashion. > > > > Instead, it can provide installed-pkgname<seperator>pkgorigin output. > > Then, any utility can check whether a new version is available, using > > what ever source it finds relevant. > > > > For example, it is completely irrelevant if a new version is available on > > the FreeBSD servers, when your machine uses a buildserver in a local > > network. For those machines it's relevant whether their build server has > > a new version and one can automatically upgrade if one so desires. > > Similarly, if your /usr/ports is ahead of the FreeBSD's INDEX.bz2, you're > > again reporting false information. > > I hear you, but it seems to me that I should just equip > portaudit-checknew with the other sources of a new ports information and > provide tunables for their location (on-disk path, URL, etc). I am > planning to do this, but first I want to know if these patches will be > viable for the project: feeding these into the /dev/null or just using > them locally, but equipping with a lot of functionality, is not what I > really want ;)) > > > It's also quite trivial to provide this availibility information in a > > daily security script, for the "majority of cases" > > Didn't get it, sorry. Could you, please, elaborate a bit? Once you have the origin of the port, you can: - make -C $PORTSDIR/$origin -V PKGNAME - get the matching origin(s) out of ${INDEXDIR}/${INDEXFILE} - get the matching origin(s) out of a downloaded INDEX.bz2 This covers the majority of cases. What portaudit lacks, is providing the origin along with the installed package name in easily parseable format. So, a central server wanting to query all the machines for vulnerable packages, now has to do an extra step of going into $PKG_DBDIR/$pkgname/+CONTENTS and getting the @comment ORIGIN: line, while (port|pkg_)audit has just been there. This would be something I'd expect: ssh clientmachine "/usr/sbin/pkg_audit -l" foo-1.2,3:misc/foo bar-4.5_6:devel/bar ... -- Mel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200810061307.51977.fbsd.hackers>