Date: Sun, 13 Jun 2004 11:15:47 +0200 From: Oliver Eikemeier <eikemeier@fillmore-labs.com> To: FreeBSD ports <FreeBSD-ports@FreeBSD.org> Cc: FreeBSD security <FreeBSD-security@FreeBSD.org> Subject: FYI: new port security/portaudit-db Message-ID: <41764F4F-BD1A-11D8-B633-00039312D914@fillmore-labs.com>
next in thread | raw e-mail | index | archive | help
Dear porters and port users, I've added a new port security/portaudit-db that complements security/portaudit for users that have a current ports tree and want to generate the portaudit database themselves, possibly distributing it over their local network. This will save you the traffic downloading information that is already on your local machine and avoid the lag that is currently associated with the mirroring process. Basically you just need to install security/portaudit-db and do `packaudit' every time after your ports tree has been updated. Try `portaudit -d', it should show the current date afterwards. This port also features a MOVED style file (database/portaudit.txt) where UUIDs for vulnerabilities can be allocated before they are researched thoroughly and moved to the VuXML database. When you fix a vulnerability in one of your ports, please add at least an entry to this file, so that this fact doesn't go unnoticed. Of course a full VuXML entry is preferred. I take this announcement as an opportunity to make a plea to all port maintainers: * please stick with *one* PKGNAMESUFFIX (possibly using a combined one like -sasl-client) * please *do not* change the structure of the packages version number according to included components. Lets take for example port `myport' with has optional components c1 and c2. This *should not* result in the following package names: port-v port-suf1-v+v1 port-suf2-v+v2 port-suf1-suf2-v+v1+v2 because I need 2^(number of components) entries to catch all possible combinations, for example the recent vulnerability in www/apache13-modssl would need 32 entries in the vulnerability database, which seems a little high. A net effect is that many combinations are not recognized, and users remain unprotected even though they assume the opposite. If you need to record the included components, please do this in the pkg-message, which is displayed with pkg_info -D. Again: * a port should *not* change its version numbering based on included components * restrain yourself to *one* suffix in the package name (and use a dash to seperate it from the main ports name) Thanks -Oliver
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41764F4F-BD1A-11D8-B633-00039312D914>