Date: Fri, 11 Aug 2017 23:55:13 +0200 From: Remko Lodder <remko@FreeBSD.org> To: Roger Marquis <marquis@roble.com> Cc: freebsd-security@freebsd.org, freebsd-pkg@freebsd.org Subject: Re: pkg audit false negatives Message-ID: <B1E5DD0C-8BBD-4F37-855C-447F28B0B49C@FreeBSD.org> In-Reply-To: <nycvar.OFS.7.76.1708111441430.53156@eboyr.pbz> References: <nycvar.OFS.7.76.1708101931090.13252@eboyr.pbz> <C540BA50-5F06-4F99-A575-D27347A3F527@FreeBSD.org> <D12FD70B-2F2B-4895-AB9D-1BD72F8512B6@FreeBSD.org> <nycvar.OFS.7.76.1708111441430.53156@eboyr.pbz>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] > On 11 Aug 2017, at 23:47, Roger Marquis <marquis@roble.com> wrote: > >> It had been resolved for dovecot (it will now match both variants, since people might still have >> the old variant of the port installed) and there is a new paragraph added to the porters handbook >> which tells that we need to have a look at the vuxml entries. > > Thanks Remko. No problemo :) > >> Hope this solves your issue, > > It may for renamed ports/pkgs but doesn't appear to for deprecations. > Once ports are dropped they do not show up in pkg-audit despite having > been installed via pkg and/or ports. That's the false negative that > appears to still be a problem. Ports / pkgs that get renamed are now changed and/or added in VuXML as well. So the old variant and the new variant of the name’s would both be listed in pkg audit. pkg audit parses VuXML, it also does a check on what is locally registered in it’s database. For example if you have a/b installed. And that has a marking in VuXML : <package>b</package> then it would hit on the package you have. If a/b gets removed for some reason, and it is still in VuXML and you have it locally registered. Then it would be still be matched (or should). If an entry is removed from the ports/pkg tree’s and it is also removed from VuXML, then yes, it will no longer get marked in your local installation. That’s a bit of a chicken and egg basically. Although I do not recall that it ever happened that ports that are no longer there, are removed from VuXML as well. (And I follow that since 2004). Do you have a more concrete example that we can dive into to see what is going on/going wrong? Cheers Remko > > Roger [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJZjifBAAoJEHE1jtY/d0B5CRkP/iPVVWv9ZhpTFjXCf2duTnsP zaHYlZVlBZ3dPOEd/F5maMQ5Q/Mf1MdBEjt3vai10BgHNDE6bplIn7j1XMRh9y3R qxPFOJNFKH7GJ9vcsQzv8VcsrIY1cYpCaEbveBJDJr53R7Yiq6LY049P5HdMZF3l qdY8jJbNdBxr8RVO7fTZMexz/VpQdOC6vTThhoC08eBkx6dFd5r2Gfjl1d4fF5dB 1tfowdISFN2ghVtF1tjh8MfDYvcCjQ1ay/7mdSrACjvqdqTF21i6IQ88PVMZI8nV iiBpJRFLxCPxRKkFmTZbkWnykMpc+SoU/UjgIWIBGXW8bJA96y/Z8UmWgPkYEycd 1SUOj+wBIjldUj8hyv+29jDQMpV5Y2hZQ+AXzUwdS8pt8zKK54XDHXGDVl7nSviF pSrB18xvGUDDRIpnWNNxuXY0LyVjh+U2UY1gSc1AC1OcMJbvypaCiOWIa3ksfmCX 4poeECse8Xn51V++DZvUyy9Xn9fRd+uP233gdNMvZfEHzHQxe98gjyuOk7Jab24q dPeTMHltbaeEA3GRb1KUIv/Tvf4P7qN3mo53mopaYbInD5myO5LOtUhCY3aova+L OaZqdzkzcjqlQcxW4YV/mQcjmvKWKFhwFfinJ5xkTXn7+Y3+v0Cf1gCLff32AMog Gpiu/aQ1iTEdwcElJfzk =RYqE -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B1E5DD0C-8BBD-4F37-855C-447F28B0B49C>