From owner-freebsd-security@freebsd.org  Mon Aug 22 13:54:28 2016
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 82A12BC2899
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Mon, 22 Aug 2016 13:54:28 +0000 (UTC)
 (envelope-from marquis@roble.com)
Received: from mx5.roble.com (mx5.roble.com [206.40.34.5])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 6166B1705
 for <freebsd-security@freebsd.org>; Mon, 22 Aug 2016 13:54:28 +0000 (UTC)
 (envelope-from marquis@roble.com)
Date: Mon, 22 Aug 2016 06:54:20 -0700 (PDT)
From: Roger Marquis <marquis@roble.com>
To: Gerhard Schmidt <schmidt@ze.tum.de>
cc: freebsd-security@freebsd.org
Subject: Re: Ports EOL vuxml entry
In-Reply-To: <6c3a84dc-5669-039c-6fa1-92565dd47dff@ze.tum.de>
References: <6c3a84dc-5669-039c-6fa1-92565dd47dff@ze.tum.de>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Aug 2016 13:54:28 -0000

> today there was a new entry added to the vuxml file including all
> outdated ports. Where is the value in this Entry.

This is good news for many of us Gerhard, who depend on the output of
'pkg audit' for vulnerability information.

> In this file should only are real vulnerabilities and not maybe
> vulnerable not existing ports.

You raise two issues here, A) what constitutes a 'real' vulnerability
and B) how else would you be warned of probable vulnerabilities (due to
unmaintained and unaudited code).  There is 'pkg version' of course but
few sites use this flag and fewer still use it for vulnerability
information.

> Right now this breaks my system to find vulnerable ports on my systems
> because all systems with legacy code show up with this entry.

Can you post details of how it breaks your system?

> Maybe pkg audit should be print a warning (suppressible by a commandline
> switch or a whiltelist in the config file) when discontinued ports are
> installed.

A command line switch to ignore deprecated, discontinued and otherwise
unadited ports is an excellent idea though I don't think there will be
much demand for it.  A default 'warn if deprecated' will no doubt be the
modal usage and benefit the larger community (who have until now been
mislead by the output of 'pkg audit').

Thanks for the heads-up.

Roger