Date: Fri, 11 Aug 2017 23:55:13 +0200 From: Remko Lodder <remko@FreeBSD.org> To: Roger Marquis <marquis@roble.com> Cc: freebsd-security@freebsd.org, freebsd-pkg@freebsd.org Subject: Re: pkg audit false negatives Message-ID: <B1E5DD0C-8BBD-4F37-855C-447F28B0B49C@FreeBSD.org> In-Reply-To: <nycvar.OFS.7.76.1708111441430.53156@eboyr.pbz> References: <nycvar.OFS.7.76.1708101931090.13252@eboyr.pbz> <C540BA50-5F06-4F99-A575-D27347A3F527@FreeBSD.org> <D12FD70B-2F2B-4895-AB9D-1BD72F8512B6@FreeBSD.org> <nycvar.OFS.7.76.1708111441430.53156@eboyr.pbz>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_23F4A11B-E020-4A3F-8299-6D007D46EEFD Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On 11 Aug 2017, at 23:47, Roger Marquis <marquis@roble.com> wrote: >=20 >> It had been resolved for dovecot (it will now match both variants, = since people might still have >> the old variant of the port installed) and there is a new paragraph = added to the porters handbook >> which tells that we need to have a look at the vuxml entries. >=20 > Thanks Remko. No problemo :) >=20 >> Hope this solves your issue, >=20 > It may for renamed ports/pkgs but doesn't appear to for deprecations. > Once ports are dropped they do not show up in pkg-audit despite having > been installed via pkg and/or ports. That's the false negative that > appears to still be a problem. Ports / pkgs that get renamed are now changed and/or added in VuXML as = well. So the old variant and the new variant of the name=E2=80=99s would both = be listed in pkg audit. pkg audit parses VuXML, it also does a check on what is locally = registered in it=E2=80=99s database. For example if you have a/b installed. And that has a marking in VuXML : = <package>b</package> then it would hit on the package you have. If a/b gets removed for some = reason, and it is still in VuXML and you have it locally registered. Then it would be still be matched = (or should). If an entry is removed from the ports/pkg tree=E2=80=99s and it is also = removed from VuXML, then yes, it will no longer get marked in your local installation. That=E2=80=99s a bit of = a chicken and egg basically. Although I do not recall that it ever happened that ports that are no longer = there, are removed from VuXML as well. (And I follow that since 2004). Do you have a more concrete example that we can dive into to see what is = going on/going wrong? Cheers Remko >=20 > Roger --Apple-Mail=_23F4A11B-E020-4A3F-8299-6D007D46EEFD Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJZjifBAAoJEHE1jtY/d0B5CRkP/iPVVWv9ZhpTFjXCf2duTnsP zaHYlZVlBZ3dPOEd/F5maMQ5Q/Mf1MdBEjt3vai10BgHNDE6bplIn7j1XMRh9y3R qxPFOJNFKH7GJ9vcsQzv8VcsrIY1cYpCaEbveBJDJr53R7Yiq6LY049P5HdMZF3l qdY8jJbNdBxr8RVO7fTZMexz/VpQdOC6vTThhoC08eBkx6dFd5r2Gfjl1d4fF5dB 1tfowdISFN2ghVtF1tjh8MfDYvcCjQ1ay/7mdSrACjvqdqTF21i6IQ88PVMZI8nV iiBpJRFLxCPxRKkFmTZbkWnykMpc+SoU/UjgIWIBGXW8bJA96y/Z8UmWgPkYEycd 1SUOj+wBIjldUj8hyv+29jDQMpV5Y2hZQ+AXzUwdS8pt8zKK54XDHXGDVl7nSviF pSrB18xvGUDDRIpnWNNxuXY0LyVjh+U2UY1gSc1AC1OcMJbvypaCiOWIa3ksfmCX 4poeECse8Xn51V++DZvUyy9Xn9fRd+uP233gdNMvZfEHzHQxe98gjyuOk7Jab24q dPeTMHltbaeEA3GRb1KUIv/Tvf4P7qN3mo53mopaYbInD5myO5LOtUhCY3aova+L OaZqdzkzcjqlQcxW4YV/mQcjmvKWKFhwFfinJ5xkTXn7+Y3+v0Cf1gCLff32AMog Gpiu/aQ1iTEdwcElJfzk =RYqE -----END PGP SIGNATURE----- --Apple-Mail=_23F4A11B-E020-4A3F-8299-6D007D46EEFD--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B1E5DD0C-8BBD-4F37-855C-447F28B0B49C>