Date: Sat, 18 Jul 2015 20:45:53 -0500 From: Mark Felder <feld@feld.me> To: "Ion-Mihai Tetcu" <itetcu@FreeBSD.org> Cc: ports-secteam@freebsd.org, freebsd-ports@freebsd.org Subject: Re: AUDITFILE default for ports users Message-ID: <1437270353.4056941.327235545.7D2D9611@webmail.messagingengine.com> In-Reply-To: <20150719043547.4dd7c3b6@it.tim.tetcu.info> References: <20150718141713.5153018d@it.tim.tetcu.info> <379A9DE0-1D84-44F2-914F-3985FFA7320E@feld.me> <20150719043547.4dd7c3b6@it.tim.tetcu.info>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jul 18, 2015, at 20:35, Ion-Mihai Tetcu wrote: > On Sat, 18 Jul 2015 17:30:52 -0500 > Mark Felder <feld@feld.me> wrote: > > > > > > On Jul 18, 2015, at 06:17, Ion-Mihai Tetcu <itetcu@FreeBSD.org> > > > wrote: > > > > > > Hi, > > > > > > > > > I have some machines on which, for various reasons, only ports are > > > used. > > > > > > On upgrading ports, I keep running into the the fact that > > > /var/db/pkg/vuln.xml is lagging > > > behind /usr/ports/security/vuxml/vuln.xml which is updated via > > > portsnap (and thus upgrading the vulnerable ports fails). > > > > > > So I'd like to propose defaulting to vuln.xml from ports if it is > > > newer that the one from /var/db/pkg/ and AUDITFILE is not defined > > > by the user. > > > > > > Tentative patch attached (I'm not happy with the != constuct). > > > > > > > I might be slightly lost here regarding what issue you're hitting. > > Described above :) > I'm mostly an old-time ports user (as opposed to packages user). > > > The vuln.xml database at /var/db/pkg/vuln.xml is updated > > by /usr/local/etc/periodic/security/410.pkg-audit on a nightly basis. > > Yes, and if a fix for an know vuln was just committed, updating the > ports tree and upgrading the port will get the system patched faster > that waiting for the package to be built on the cluster. A ports user > would portsnap the ports, which will get a more up-to-date vuln.xml > that the one that was fetched by nightly cron. > > > If your database is out of date you can simply force a fetch of the > > database with `pkg audit -F`. > > Yes, or define AUDITFILE to be the one from ports in make.conf. > However both require manual action; I'm just proposing a (I think sane) > default. > > > Sometimes I leave /usr/ports/security/vuxml/vuln.xml in an unfinished > > state from working on creating new entries > > One could argue you should do devel on an svn co'ed copy of the tree, > not the system one :) so I don't regard this as an valid argument. > I do development on /usr/ports which is a readonly checkout and used by poudriere, and then have another ports tree I apply patches to (~/svn/freebsd/ports) which is used for committing. :-) > > and I am not sure I would want the ports tree to think it should use > > that database just because it has a newer timestamp. > > I don't know a cheaper way to check if it's more up-to-date. > > > I suppose I would have to think about this a bit more... I'm not > > sure. Having two sources of "truth" seems like a disaster waiting to > > happen. > > True. But except if http://vuxml.freebsd.org/freebsd/vuln.xml.bz2 > update is triggered by each commit it will lag behind the (master) > version in the ports tree. > How often is updated this file fetched by `pkg audit -F`? > It's re-generated by cron every 5 minutes. > At lest for now, one can't really mix ports and packages on a daily > bases; a ports user would tend to ignore pkg features not directly > related to locally installed package management (delete/which/info/...). > > > I'm curious to hear what the other ports-secteam members think. > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1437270353.4056941.327235545.7D2D9611>