Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 18 Jul 2015 17:30:52 -0500
From:      Mark Felder <feld@feld.me>
To:        Ion-Mihai Tetcu <itetcu@FreeBSD.org>
Cc:        freebsd-ports@freebsd.org, ports-secteam@freebsd.org
Subject:   Re: AUDITFILE default for ports users
Message-ID:  <379A9DE0-1D84-44F2-914F-3985FFA7320E@feld.me>
In-Reply-To: <20150718141713.5153018d@it.tim.tetcu.info>
References:  <20150718141713.5153018d@it.tim.tetcu.info>

next in thread | previous in thread | raw e-mail | index | archive | help

--Apple-Mail=_9E3DB5E2-607A-4E71-A405-81F5025C612A
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii


> On Jul 18, 2015, at 06:17, Ion-Mihai Tetcu <itetcu@FreeBSD.org> wrote:
>=20
> Hi,
>=20
>=20
> I have some machines on which, for various reasons, only ports are =
used.
>=20
> On upgrading ports, I keep running into the the fact that
> /var/db/pkg/vuln.xml is lagging behind =
/usr/ports/security/vuxml/vuln.xml
> which is updated via portsnap (and thus upgrading the vulnerable ports
> fails).
>=20
> So I'd like to propose defaulting to vuln.xml from ports if it is =
newer
> that the one from /var/db/pkg/ and AUDITFILE is not defined by the =
user.
>=20
> Tentative patch attached (I'm not happy with the !=3D constuct).
>=20

I might be slightly lost here regarding what issue you're hitting. The =
vuln.xml database at /var/db/pkg/vuln.xml is updated by =
/usr/local/etc/periodic/security/410.pkg-audit on a nightly basis. If =
your database is out of date you can simply force a fetch of the =
database with `pkg audit -F`.

Sometimes I leave /usr/ports/security/vuxml/vuln.xml in an unfinished =
state from working on creating new entries and I am not sure I would =
want the ports tree to think it should use that database just because it =
has a newer timestamp.

I suppose I would have to think about this a bit more... I'm not sure. =
Having two sources of "truth" seems like a disaster waiting to happen. =
I'm curious to hear what the other ports-secteam members think.

--Apple-Mail=_9E3DB5E2-607A-4E71-A405-81F5025C612A
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQEcBAEBCgAGBQJVqtOvAAoJEJg7ZFAfE+JSXXUH/RwvVlofXDD36r7Z5DGCMjfi
J5gsxzhq7UpT7nw/3gKI0sMzXNzmVAJF8nL6LRMjz/NAtSJp5BW9lUWnge4vGgoq
rwW916w+qj8ySLBOGvg+G80yfDyJlXmgC1tQ2hxDSIe0PPfKtVKwFUnHWn9fNV03
c+1ogNxY6cQ5KaOMoWa+xrDntK6MiLAZraOZVKvc7afGZvO6bIyXWg2o02h8zgyK
d2WA6VogU+NYTM+lEo+IxmgA9L5RvRiMhJfEub7st9IiAghEcWVc4lK+T04cdecb
yeU7Gm1A0msD562CjCy+Fvoyq3Z1VMFuwwHrG4d3vBhwgL7TfAHuQrZj3nQQul0=
=hTqK
-----END PGP SIGNATURE-----

--Apple-Mail=_9E3DB5E2-607A-4E71-A405-81F5025C612A--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?379A9DE0-1D84-44F2-914F-3985FFA7320E>