From owner-freebsd-ports@FreeBSD.ORG Mon Oct 6 11:07:55 2008 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 067791065693; Mon, 6 Oct 2008 11:07:55 +0000 (UTC) (envelope-from fbsd.hackers@rachie.is-a-geek.net) Received: from mail.rachie.is-a-geek.net (rachie.is-a-geek.net [66.230.99.27]) by mx1.freebsd.org (Postfix) with ESMTP id BECEB8FC21; Mon, 6 Oct 2008 11:07:54 +0000 (UTC) (envelope-from fbsd.hackers@rachie.is-a-geek.net) Received: from localhost (mail.rachie.is-a-geek.net [192.168.2.101]) by mail.rachie.is-a-geek.net (Postfix) with ESMTP id A7B6EAFBC01; Mon, 6 Oct 2008 03:07:53 -0800 (AKDT) From: Mel To: freebsd-hackers@freebsd.org Date: Mon, 6 Oct 2008 13:07:51 +0200 User-Agent: KMail/1.9.7 References: <200810061124.55209.fbsd.hackers@rachie.is-a-geek.net> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200810061307.51977.fbsd.hackers@rachie.is-a-geek.net> Cc: freebsd-ports@freebsd.org, Eygene Ryabinkin , Miroslav Lachman <000.fbsd@quip.cz>, bug-followup@freebsd.org Subject: Re: ports/126853: ports-mgmt/portaudit: speed up audit of installed packages X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Oct 2008 11:07:55 -0000 On Monday 06 October 2008 12:28:48 Eygene Ryabinkin wrote: > Mel, good day. > > Mon, Oct 06, 2008 at 11:24:54AM +0200, Mel wrote: > > On Monday 06 October 2008 07:23:37 Eygene Ryabinkin wrote: > > > But downloading the INDEX file from the central server seemed to be the > > > best way, since it almost always gives one the latest port versions, so > > > I had implemented this in a first place. > > > > I've been following this, but I don't agree that (port|pkg_)audit should > > do this, from the very perspective you're writing this program from: > > The download is done not by the portaudit itself, but by the helper > script, portaudit-checknew. > > > On Sunday 28 September 2008 11:49:18 Eygene Ryabinkin wrote: > > > 4. I feel that it is Unix-way to do the things: create small utilities > > > that do their (small) job in a proper fashion. > > > > Instead, it can provide installed-pkgnamepkgorigin output. > > Then, any utility can check whether a new version is available, using > > what ever source it finds relevant. > > > > For example, it is completely irrelevant if a new version is available on > > the FreeBSD servers, when your machine uses a buildserver in a local > > network. For those machines it's relevant whether their build server has > > a new version and one can automatically upgrade if one so desires. > > Similarly, if your /usr/ports is ahead of the FreeBSD's INDEX.bz2, you're > > again reporting false information. > > I hear you, but it seems to me that I should just equip > portaudit-checknew with the other sources of a new ports information and > provide tunables for their location (on-disk path, URL, etc). I am > planning to do this, but first I want to know if these patches will be > viable for the project: feeding these into the /dev/null or just using > them locally, but equipping with a lot of functionality, is not what I > really want ;)) > > > It's also quite trivial to provide this availibility information in a > > daily security script, for the "majority of cases" > > Didn't get it, sorry. Could you, please, elaborate a bit? Once you have the origin of the port, you can: - make -C $PORTSDIR/$origin -V PKGNAME - get the matching origin(s) out of ${INDEXDIR}/${INDEXFILE} - get the matching origin(s) out of a downloaded INDEX.bz2 This covers the majority of cases. What portaudit lacks, is providing the origin along with the installed package name in easily parseable format. So, a central server wanting to query all the machines for vulnerable packages, now has to do an extra step of going into $PKG_DBDIR/$pkgname/+CONTENTS and getting the @comment ORIGIN: line, while (port|pkg_)audit has just been there. This would be something I'd expect: ssh clientmachine "/usr/sbin/pkg_audit -l" foo-1.2,3:misc/foo bar-4.5_6:devel/bar ... -- Mel