From owner-freebsd-ports@freebsd.org  Mon Oct  9 21:55:26 2017
Return-Path: <owner-freebsd-ports@freebsd.org>
Delivered-To: freebsd-ports@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7A4EEE3D1FC
 for <freebsd-ports@mailman.ysv.freebsd.org>;
 Mon,  9 Oct 2017 21:55:26 +0000 (UTC)
 (envelope-from jbeich@freebsd.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "freefall.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 5BE008188A;
 Mon,  9 Oct 2017 21:55:26 +0000 (UTC)
 (envelope-from jbeich@freebsd.org)
Received: by freefall.freebsd.org (Postfix, from userid 1354)
 id AED8C3CCE; Mon,  9 Oct 2017 21:55:25 +0000 (UTC)
From: Jan Beich <jbeich@FreeBSD.org>
To: Steve Wills <swills@FreeBSD.org>
Cc: Matthew Seaman <matthew@FreeBSD.org>, ale@Freebsd.org,
 freebsd-ports@freebsd.org
Subject: Re: New pkg audit FNs
References: <nycvar.OFS.7.76.1710090833020.60492@eboyr.pbz>
 <b63f2936-e922-4a90-f256-6d7870dbd55b@FreeBSD.org>
 <tvz8-rrf3-wny@FreeBSD.org>
 <d56ddf99-a1fc-e813-67ed-ea6d65c8211f@FreeBSD.org>
Date: Mon, 09 Oct 2017 23:55:22 +0200
In-Reply-To: <d56ddf99-a1fc-e813-67ed-ea6d65c8211f@FreeBSD.org> (Steve Wills's
 message of "Mon, 9 Oct 2017 17:09:28 -0400")
Message-ID: <o9pg-ouk5-wny@FreeBSD.org>
MIME-Version: 1.0
Content-Type: text/plain
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Oct 2017 21:55:26 -0000

Steve Wills <swills@FreeBSD.org> writes:

> Hi,
>
> On 10/09/2017 16:34, Jan Beich wrote:
>> Matthew Seaman <matthew@FreeBSD.org> writes:
>>
>>> On 09/10/2017 16:57, Roger Marquis wrote:
>>>
>>>> Can anyone say what mechanisms the ports-security team might have in
>>>> place to monitor CVEs and port software versions? 
>
> I've been hacking at a prototype for scanning what I can find:
>
> https://github.com/swills/nvd_to_new_vuxml

Wouldn't that encourage copypasta, exacerbating filesize issue? Why not
teach pkg-audit(8) to query NVD based on CPE annotations in *binary* packages?
Doing so would also provide a workaround for VuXML entries cancelled
to reduce bloat.