Date: Tue, 24 Apr 2001 12:52:16 -0700 From: Sean Chittenden <sean@chittenden.org> To: Kris Kennaway <kris@obsecurity.org> Cc: Calvin NG <calvinng@brel.com>, Sean Chittenden <sean-freebsd-stable@chittenden.org>, Jeff Kletsky <Jeff+freebsd@wagsky.com>, freebsd-stable@FreeBSD.ORG, bmah@FreeBSD.ORG Subject: Re: pkg_version perl hacker project Message-ID: <20010424125216.L19530@rand.tgd.net> In-Reply-To: <20010424120052.H89156@xor.obsecurity.org>; from "kris@obsecurity.org" on Tue, Apr 24, 2001 at = 12:00:52PM References: <Pine.BSF.4.21.0104230806060.27435-100000@wildside.wagsky.com> <20010423231827.A19530@rand.tgd.net> <20010424142340.E5216@brel.com> <20010424014833.B19530@rand.tgd.net> <20010424120052.H89156@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--dzI2QqkSBOAresgT Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 24, 2001 at 12:00:52PM -0700, Kris Kennaway wrote: > At least it was a learning experience, right? :-) Yeah... I still want to learn more about the ports skeleton files though, it seems like there could be a chunk of work done on standardizing the formats of Makefiles, but that's my opinion after about an hour of investigation. > If you're still in pkg_* perl script hacking mode, we could use a > utility which does the following: Alright, I'll see if I can whip something out over the next few days. What kind of advisories do you want to support? I'm assuming BSD and that's it... maybe CERT. > Parses a set of ports security advisories, extracts a list of > vulnerable package versions described in some form (regex/glob > expression/etc) and checks for any vulnerable packages installed. Why not setup a mirrorable, online index of all ports that are forbidden. Have it run over HTTP so that proxy support should be cake, and ... rest's history. > We'd need to agree on a standard form to use in the advisories to aid > in parsing. Yup! > This could be done as an extension to pkg_version, since much of the > code you will need to manage versions is already there, and it's a > logical extension of that program's function. I'll probably do a stand-alone that depends on pkg_version, then merge the two. > NetBSD have a port called audit-packages which does something similar, > but not quite the same as the above (last I checked) -- it might still > be useful as a starting point. >=20 > Interested? Yeah, why not. With a tool like this, it'd make security apart of an SA's daily routine. Tonight I'll dive through my archived mail and look for a few advisories to model after. Is there a central clearing house for all advisories, or some kind of database that can be queried? Are advisories distributed with a system? I haven't seen them in my cvsup logs, but this wouldn't be the first thing I've glanced over and not noticed (ex: pkg_version). -sc --=20 Sean Chittenden --dzI2QqkSBOAresgT Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: Sean Chittenden <sean@chittenden.org> iEYEARECAAYFAjrl2XAACgkQn09c7x7d+q1V4gCdGXZoBDmvp75MCU0oA8DQsMBB tRsAoJbFfevc+oUgkxLrEQ0tUIB7PBTP =o3nY -----END PGP SIGNATURE----- --dzI2QqkSBOAresgT-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010424125216.L19530>