From owner-freebsd-ports@freebsd.org Sun Jul 19 01:45:54 2015 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D7C7D999025 for ; Sun, 19 Jul 2015 01:45:54 +0000 (UTC) (envelope-from feld@feld.me) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9684C1C01 for ; Sun, 19 Jul 2015 01:45:54 +0000 (UTC) (envelope-from feld@feld.me) Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 62977206A7 for ; Sat, 18 Jul 2015 21:45:53 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute6.internal (MEProxy); Sat, 18 Jul 2015 21:45:53 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=feld.me; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=c2pKfo/KO4vggoV/JZ7cfH2vswU=; b=mgFu84 5DZFejA9NfAQh8uoeY2UB3MkTIgRM5spWUM5rt/+L8xzDcfv4dO1AUlAYgJY6mGg jELPefIKv5JrOEh/NszX89k+ERGVgJxRBbtgmMPZNXGd/aPvMQOwemyRi2NKuHPF wNWvRLM9j1wCW8rSLuc1LSxAAgaLDU1obu6gU= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=c2pKfo/KO4vggoV /JZ7cfH2vswU=; b=PC+ds5/SbsM8xS5YzF0Az9WLbI8j3hqQwVdNc6Mxcp4I5mK MT6FVSOlQb73eRsIHH+059QixUv8uuBH53c2HVWXeXFAl7qTMBmI9H+NIMWlGMsM OY4YzQUN2lPbGCCzBxc0Le7xOL03yfFyZETvfNO6QEOpGJhyMWUKMHRrN/SY= Received: by web3.nyi.internal (Postfix, from userid 99) id 2BE0E108EF4; Sat, 18 Jul 2015 21:45:53 -0400 (EDT) Message-Id: <1437270353.4056941.327235545.7D2D9611@webmail.messagingengine.com> X-Sasl-Enc: N2Bu17lzcZia+4C8CNEJaDRG0x+2UEtDXqgFfmVcSmb4 1437270353 From: Mark Felder To: "Ion-Mihai Tetcu" Cc: ports-secteam@freebsd.org, freebsd-ports@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-63a5d8c6 Subject: Re: AUDITFILE default for ports users Date: Sat, 18 Jul 2015 20:45:53 -0500 In-Reply-To: <20150719043547.4dd7c3b6@it.tim.tetcu.info> References: <20150718141713.5153018d@it.tim.tetcu.info> <379A9DE0-1D84-44F2-914F-3985FFA7320E@feld.me> <20150719043547.4dd7c3b6@it.tim.tetcu.info> X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Jul 2015 01:45:54 -0000 On Sat, Jul 18, 2015, at 20:35, Ion-Mihai Tetcu wrote: > On Sat, 18 Jul 2015 17:30:52 -0500 > Mark Felder wrote: > > > > > > On Jul 18, 2015, at 06:17, Ion-Mihai Tetcu > > > wrote: > > > > > > Hi, > > > > > > > > > I have some machines on which, for various reasons, only ports are > > > used. > > > > > > On upgrading ports, I keep running into the the fact that > > > /var/db/pkg/vuln.xml is lagging > > > behind /usr/ports/security/vuxml/vuln.xml which is updated via > > > portsnap (and thus upgrading the vulnerable ports fails). > > > > > > So I'd like to propose defaulting to vuln.xml from ports if it is > > > newer that the one from /var/db/pkg/ and AUDITFILE is not defined > > > by the user. > > > > > > Tentative patch attached (I'm not happy with the != constuct). > > > > > > > I might be slightly lost here regarding what issue you're hitting. > > Described above :) > I'm mostly an old-time ports user (as opposed to packages user). > > > The vuln.xml database at /var/db/pkg/vuln.xml is updated > > by /usr/local/etc/periodic/security/410.pkg-audit on a nightly basis. > > Yes, and if a fix for an know vuln was just committed, updating the > ports tree and upgrading the port will get the system patched faster > that waiting for the package to be built on the cluster. A ports user > would portsnap the ports, which will get a more up-to-date vuln.xml > that the one that was fetched by nightly cron. > > > If your database is out of date you can simply force a fetch of the > > database with `pkg audit -F`. > > Yes, or define AUDITFILE to be the one from ports in make.conf. > However both require manual action; I'm just proposing a (I think sane) > default. > > > Sometimes I leave /usr/ports/security/vuxml/vuln.xml in an unfinished > > state from working on creating new entries > > One could argue you should do devel on an svn co'ed copy of the tree, > not the system one :) so I don't regard this as an valid argument. > I do development on /usr/ports which is a readonly checkout and used by poudriere, and then have another ports tree I apply patches to (~/svn/freebsd/ports) which is used for committing. :-) > > and I am not sure I would want the ports tree to think it should use > > that database just because it has a newer timestamp. > > I don't know a cheaper way to check if it's more up-to-date. > > > I suppose I would have to think about this a bit more... I'm not > > sure. Having two sources of "truth" seems like a disaster waiting to > > happen. > > True. But except if http://vuxml.freebsd.org/freebsd/vuln.xml.bz2 > update is triggered by each commit it will lag behind the (master) > version in the ports tree. > How often is updated this file fetched by `pkg audit -F`? > It's re-generated by cron every 5 minutes. > At lest for now, one can't really mix ports and packages on a daily > bases; a ports user would tend to ignore pkg features not directly > related to locally installed package management (delete/which/info/...). > > > I'm curious to hear what the other ports-secteam members think. > >