From owner-freebsd-ports@freebsd.org Thu Oct 8 02:26:21 2015 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0EC809D0CDC for ; Thu, 8 Oct 2015 02:26:21 +0000 (UTC) (envelope-from jason.unovitch@gmail.com) Received: from mail-qg0-x22e.google.com (mail-qg0-x22e.google.com [IPv6:2607:f8b0:400d:c04::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BF53DD8C for ; Thu, 8 Oct 2015 02:26:20 +0000 (UTC) (envelope-from jason.unovitch@gmail.com) Received: by qgev79 with SMTP id v79so31316493qge.0 for ; Wed, 07 Oct 2015 19:26:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:subject:message-id:reply-to:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=LpbF0bWfSHJiTKXnnBUCDkdVlMbFr8QB/G8pr+Ww3Oc=; b=rwoXhvXLhMGvr4lr9H2Zt81b7Tf4g7ocEo2kWi75proE7pV/L0fssKjDIw6xvYWR44 HP6prujMGlwhQ/Zf9AuFVLw1Lkcje/DF6PnST2FqsiCL4sQx7/3ucAhbaG0JuJWUO5db Xj3yiaW3GyuSaGGACYMyHwthx0+sx8oofBkey46jWQE9mcrkt6vdoARkNkivP/cWFfKR yBm6MfNDBsH2NC5odnaEixHG2O1lhy6NUQV7Xky4mGf9X+SWF22d69hoy6P6SxsA6fuj M0T0SzFG5vPWMUJcDlZ9Aq2RPk+QhejZn6QuNDnDehsiTSHNslnbQfp871wvOF3qC7ay GSPA== X-Received: by 10.140.29.3 with SMTP id a3mr5219457qga.97.1444271179908; Wed, 07 Oct 2015 19:26:19 -0700 (PDT) Received: from xts-bsd.pa-us.unovitch.com (c-174-54-246-90.hsd1.pa.comcast.net. [174.54.246.90]) by smtp.gmail.com with ESMTPSA id f31sm14930663qkh.24.2015.10.07.19.26.19 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 07 Oct 2015 19:26:19 -0700 (PDT) Date: Thu, 8 Oct 2015 02:26:17 +0000 From: Jason Unovitch To: f-ports Subject: Re: Working of "pkg audit " Message-ID: <20151008022617.GA5526@xts-bsd.pa-us.unovitch.com> Reply-To: junovitch@FreeBSD.org References: <20151008020225.GA2285@holstein.holy.cow> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20151008020225.GA2285@holstein.holy.cow> User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Oct 2015 02:26:21 -0000 On Wed, Oct 07, 2015 at 04:02:25PM -1000, parv@pair.com wrote: > (Sent to -questions@ on Oct 3 but hadn't got any reply, so sending > to @ports now. Also, situation below is before www/firefox was > updated to 41.0.) > > I want to know if running "pkg audit" makes any sense for a port > installed that has not been updated officially yet. Also, is it > possible to supplement the vuxml catalog for such ports installed? > > Firefox 39 or 40 had been installed from ports. I got tired of > seeing package being vulnerable on every ports tree update process > that rebuilds "security/vuxml". As the "www/firefox" port has not > been updated yet, so I fetched source of firefox 41.0.1; updated > distinfo; installed (after rebuilding databases/sqlite3 with DBSTAT > option & moving out "files/patch-bug702179" out of "files"). > > Now I see vulnerability warnings going back to 2004, which are > just useless & rather amusing. At least the installed firefox is not > vulnerable any more (yet). > > Apparently per pkg-version > > # pkg version -t 41.0.1 41.0,1 > < The PORTEPOCH here (the ,1) will always make the second version newer than the first. If you do any local updates then keep the PORTEPOCH and it would work as intended. If you do a local update, don't forget the most import step... the patch to Bugzilla of course.