From owner-freebsd-hackers@FreeBSD.ORG  Sun Sep 28 11:33:52 2008
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2150410656A8;
	Sun, 28 Sep 2008 11:33:52 +0000 (UTC)
	(envelope-from 000.fbsd@quip.cz)
Received: from elsa.codelab.cz (elsa.codelab.cz [91.103.162.4])
	by mx1.freebsd.org (Postfix) with ESMTP id 9B3F28FC15;
	Sun, 28 Sep 2008 11:33:51 +0000 (UTC)
	(envelope-from 000.fbsd@quip.cz)
Received: from localhost (localhost.codelab.cz [127.0.0.1])
	by elsa.codelab.cz (Postfix) with ESMTP id 4D61619E02A;
	Sun, 28 Sep 2008 13:14:30 +0200 (CEST)
Received: from [192.168.1.2] (r5bb235.net.upc.cz [86.49.61.235])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by elsa.codelab.cz (Postfix) with ESMTPSA id 283A119E027;
	Sun, 28 Sep 2008 13:14:28 +0200 (CEST)
Message-ID: <48DF6735.4030906@quip.cz>
Date: Sun, 28 Sep 2008 13:15:01 +0200
From: Miroslav Lachman <000.fbsd@quip.cz>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US;
	rv:1.7.12) Gecko/20050915
X-Accept-Language: cz, cs, en, en-us
MIME-Version: 1.0
To: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
References: <WGReTVL6CLts/44OKi4qLEsAGHs@jm/Q2DKg1djxmpGNf45V+WpjPIE>	<48DE5CC0.9000708@localhost.inse.ru>
	<o/JeKQBFxyWYOEj+ysAVRhQK6g8@iXA9ZWPrtc2I2BMzBXoToMd7YdQ>
In-Reply-To: <o/JeKQBFxyWYOEj+ysAVRhQK6g8@iXA9ZWPrtc2I2BMzBXoToMd7YdQ>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Sun, 28 Sep 2008 11:45:16 +0000
Cc: freebsd-hackers@freebsd.org, Roman Kurakin <rik@inse.ru>,
	bug-followup@freebsd.org, freebsd-ports@freebsd.org
Subject: Re: ports/126853: ports-mgmt/portaudit: speed up audit of installed
 packages
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Sep 2008 11:33:52 -0000

Eygene Ryabinkin wrote:
> Roman, good day.
> 
> Sat, Sep 27, 2008 at 08:18:08PM +0400, Roman Kurakin wrote:
> 
>>Have you also posted this to ports@?
> 
> 
> No, forgot to do it.  CC'ing ports@
> 
> Thanks!
> 
> The original posting to hackers@ goes below.  It will be double-posted
> to the bug-followup@ -- sorry for this.
> 
> 
>>Eygene Ryabinkin wrote:
>>
>>>Good day.
>>>
>>>A while ago I had created the new utility that serves as VuXML
>>>filter for the installed packages:
>>>  http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/126853
>>>
>>>My primary intention was to speed up the process of auditing the
>>>vulnerable ports: I needed to run portaudit checks with Nagios and to
>>>avoid large timeouts.
>>>
>>>The new utility is called pkg_audit and it serves as a simple text
>>>filter: on input it takes the full VuXML feed and on output it puts
>>>VuXML entries that matches ports that are installed in the system with
>>>port version specification substituted with the actual port versions.
>>>
>>>No harm is done to the actual poartudit -- if pkg_audit is missing, old
>>>code path is activated.
>>>
>>>If someone is interested and will be able to test -- I am all ears.
> 
> 
> Additional clarifications inspired by the off-line talk with rik@:
> I could take another route and add this functionality to the pkg_info.
> I took another approach for the following reasons.
> 
> 1. pkg_info's option list is already quite big -- around 32 options
>    and switches.
> 
> 2. It is easier to test for the presence of the new tool (pkg_audit)
>    and use it, instead of checking the support for the new option in
>    pkg_info.
> 
> 3. I see no options in pkg_info that can be naturally extended to
>    absorbe the new functionality.  The closest is '-E', but pkg_audit
>    needs to read VuXML entries, choose ones that are present in the system
>    and output the found VuXML entries with version templates substituted
>    with the real entries, so pkg_audit is filter-like utility.  In my
>    opinion, such extension of pkg_info's "-E" will be very unnatural.
> 
> 4. I feel that it is Unix-way to do the things: create small utilities
>    that do their (small) job in a proper fashion.  Moreover, since the
>    majority of a code sits in the pkg_install's library, there is a very
>    slight code duplication, if any.

Is there any possibility to cooperate portaudit / pkg_audit with 
pkg_version to show vulnerable package with information if newer (not 
vulnerable) package (or port) version is available for upgrade to?

If I read nightly security e-mail with for example 4 vulnerable 
packages, then I need to log in to server and manualy try, if newer 
(fixed) packages are available. It seems not so hard to check output of 
`pkg_version -vIL =` and compare both versions (installed and available) 
with portaudit in some shellscript, I didn't start to write it yet ;).

Miroslav Lachman