Date: Mon, 22 Aug 2016 06:54:20 -0700 (PDT) From: Roger Marquis <marquis@roble.com> To: Gerhard Schmidt <schmidt@ze.tum.de> Cc: freebsd-security@freebsd.org Subject: Re: Ports EOL vuxml entry In-Reply-To: <6c3a84dc-5669-039c-6fa1-92565dd47dff@ze.tum.de> References: <6c3a84dc-5669-039c-6fa1-92565dd47dff@ze.tum.de>
| previous in thread | raw e-mail | index | archive | help
> today there was a new entry added to the vuxml file including all > outdated ports. Where is the value in this Entry. This is good news for many of us Gerhard, who depend on the output of 'pkg audit' for vulnerability information. > In this file should only are real vulnerabilities and not maybe > vulnerable not existing ports. You raise two issues here, A) what constitutes a 'real' vulnerability and B) how else would you be warned of probable vulnerabilities (due to unmaintained and unaudited code). There is 'pkg version' of course but few sites use this flag and fewer still use it for vulnerability information. > Right now this breaks my system to find vulnerable ports on my systems > because all systems with legacy code show up with this entry. Can you post details of how it breaks your system? > Maybe pkg audit should be print a warning (suppressible by a commandline > switch or a whiltelist in the config file) when discontinued ports are > installed. A command line switch to ignore deprecated, discontinued and otherwise unadited ports is an excellent idea though I don't think there will be much demand for it. A default 'warn if deprecated' will no doubt be the modal usage and benefit the larger community (who have until now been mislead by the output of 'pkg audit'). Thanks for the heads-up. Roger
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?>