From owner-freebsd-pkg@freebsd.org  Fri Aug 21 00:41:30 2015
Return-Path: <owner-freebsd-pkg@freebsd.org>
Delivered-To: freebsd-pkg@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id BC2029BFF4B
 for <freebsd-pkg@mailman.ysv.freebsd.org>;
 Fri, 21 Aug 2015 00:41:30 +0000 (UTC)
 (envelope-from marquis@roble.com)
Received: from mx5.roble.com (mx5.roble.com [206.40.34.5])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id AF690AAA
 for <freebsd-pkg@freebsd.org>; Fri, 21 Aug 2015 00:41:30 +0000 (UTC)
 (envelope-from marquis@roble.com)
Received: from secure.postconf.com (mx5.roble.com [206.40.34.5])
 by mx5.roble.com (Postfix) with ESMTP id 4D22267837
 for <freebsd-pkg@freebsd.org>; Thu, 20 Aug 2015 17:41:24 -0700 (PDT)
Date: Thu, 20 Aug 2015 17:41:24 -0700
Subject: pkg audit-pkg RFQ
From: "Roger Marquis" <marquis@roble.com>
To: freebsd-pkg@freebsd.org
Reply-To: marquis@roble.com
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-BeenThere: freebsd-pkg@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Binary package management and package tools discussion
 <freebsd-pkg.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pkg>,
 <mailto:freebsd-pkg-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pkg/>
List-Post: <mailto:freebsd-pkg@freebsd.org>
List-Help: <mailto:freebsd-pkg-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pkg>,
 <mailto:freebsd-pkg-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Aug 2015 00:41:30 -0000

Short of manually populating a temporary local.sqlite what might be more
extensible is a new pkg flag.

I believe it would be straightforward to add an "audit-pkg" flag (i.e., "pkg
audit-pkg [$pkgname] [...]") for either a single package or a list of
packages, on the command line or via stdin, installed or not, and return a
report on the vulnerability status of the specified ports/packages? 
Essentially the same as "pkg audit" but with port/package names specified
rather than derived from local.sqlite.

As this patch would be for my own use it wouldn't have to be added to the port
(though other may also find it useful).  Anyone interested in working on this
in the short term please send me an estimate of your schedule and the cost.

Roger Marquis


>I need to run a sort of ad hoc 'pkg audit' for various scenarios without
>actually installing packages (some of which are no longer available).
>Has anyone done this and, if so, how?  Did you populate local.sqlite's packages
>table manually?  What did the sql command look like?
>
>Is there a better way to do this?