From owner-freebsd-questions@FreeBSD.ORG Sat Feb 26 20:25:59 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3A20F16A4CE; Sat, 26 Feb 2005 20:25:59 +0000 (GMT) Received: from outbox.allstream.net (outbox.allstream.net [207.245.244.41]) by mx1.FreeBSD.org (Postfix) with ESMTP id DA94F43D46; Sat, 26 Feb 2005 20:25:58 +0000 (GMT) (envelope-from epilogue@allstream.net) Received: from localhost (mon-pq68-029.dial.allstream.net [216.123.128.29]) by outbox.allstream.net (Allstream MTA) with ESMTP id 1EED81EC763; Sat, 26 Feb 2005 15:26:37 -0500 (EST) Date: Sat, 26 Feb 2005 15:25:14 -0500 From: epilogue To: freebsd-questions@freebsd.org Message-ID: <20050226152514.1a3f9676@localhost> In-Reply-To: <20050226181700.GA1044@keyslapper.net> References: <200502261642.04144.georgek@intense-illusions.com> <20050226181700.GA1044@keyslapper.net> X-Mailer: Sylpheed-Claws 1.0.1 (GTK+ 1.2.10; i386-portbld-freebsd5.3) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: FreeBSD@keyslapper.net cc: freebsd-doc@freebsd.org Subject: Re: Portupgrading - portauditing X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Feb 2005 20:25:59 -0000 > I finally gave up and deleted the db at > /var/db/portaudit/auditfile.tbz and then did the upgrade. > > It still flags firefox as a vulnerability, even though the problem it > references is supposed to be explicitly fixed in the version I have > installed (window injection vulnerability). > > Of course, you can the method described by another poster to get that > list, but I haven't been able to get portaudit to actually let me > upgrade. Even the portupgrade -f flag won't work and simply building > the port manually is also disabled for flagged ports. > > Portaudit seems more a hard lockdown than a warning system. I think > either I am not understanding how to manage it yet, or it has a couple > issues that have not been hammered out yet. Manpages don't have much > detail about this issue. I haven't had a chance to check on the > existence of a bug report yet, because I want to hunt down all the > docs I can first. no need to fiddle with portaudit, as these can be fed directly to make or to portupgrade (with the -m flag). building ports despite vulnerabilities: -DDISABLE_VULNERABILITIES building ports despite ignore: -DNO_IGNORE to my knowledge, these are not yet documented anywhere but here in the mailing lists. i believe that the doc project is already looking to integrate this info into the ports manpage (or somewhere else equally sensible). on the off chance that they lost sight of this target, i'm adding them to cc. (: thank you docs team :) hth. cheers, epi