Date: Sat, 18 Jul 2015 17:30:52 -0500 From: Mark Felder <feld@feld.me> To: Ion-Mihai Tetcu <itetcu@FreeBSD.org> Cc: freebsd-ports@freebsd.org, ports-secteam@freebsd.org Subject: Re: AUDITFILE default for ports users Message-ID: <379A9DE0-1D84-44F2-914F-3985FFA7320E@feld.me> In-Reply-To: <20150718141713.5153018d@it.tim.tetcu.info> References: <20150718141713.5153018d@it.tim.tetcu.info>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_9E3DB5E2-607A-4E71-A405-81F5025C612A Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii > On Jul 18, 2015, at 06:17, Ion-Mihai Tetcu <itetcu@FreeBSD.org> wrote: >=20 > Hi, >=20 >=20 > I have some machines on which, for various reasons, only ports are = used. >=20 > On upgrading ports, I keep running into the the fact that > /var/db/pkg/vuln.xml is lagging behind = /usr/ports/security/vuxml/vuln.xml > which is updated via portsnap (and thus upgrading the vulnerable ports > fails). >=20 > So I'd like to propose defaulting to vuln.xml from ports if it is = newer > that the one from /var/db/pkg/ and AUDITFILE is not defined by the = user. >=20 > Tentative patch attached (I'm not happy with the !=3D constuct). >=20 I might be slightly lost here regarding what issue you're hitting. The = vuln.xml database at /var/db/pkg/vuln.xml is updated by = /usr/local/etc/periodic/security/410.pkg-audit on a nightly basis. If = your database is out of date you can simply force a fetch of the = database with `pkg audit -F`. Sometimes I leave /usr/ports/security/vuxml/vuln.xml in an unfinished = state from working on creating new entries and I am not sure I would = want the ports tree to think it should use that database just because it = has a newer timestamp. I suppose I would have to think about this a bit more... I'm not sure. = Having two sources of "truth" seems like a disaster waiting to happen. = I'm curious to hear what the other ports-secteam members think. --Apple-Mail=_9E3DB5E2-607A-4E71-A405-81F5025C612A Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQEcBAEBCgAGBQJVqtOvAAoJEJg7ZFAfE+JSXXUH/RwvVlofXDD36r7Z5DGCMjfi J5gsxzhq7UpT7nw/3gKI0sMzXNzmVAJF8nL6LRMjz/NAtSJp5BW9lUWnge4vGgoq rwW916w+qj8ySLBOGvg+G80yfDyJlXmgC1tQ2hxDSIe0PPfKtVKwFUnHWn9fNV03 c+1ogNxY6cQ5KaOMoWa+xrDntK6MiLAZraOZVKvc7afGZvO6bIyXWg2o02h8zgyK d2WA6VogU+NYTM+lEo+IxmgA9L5RvRiMhJfEub7st9IiAghEcWVc4lK+T04cdecb yeU7Gm1A0msD562CjCy+Fvoyq3Z1VMFuwwHrG4d3vBhwgL7TfAHuQrZj3nQQul0= =hTqK -----END PGP SIGNATURE----- --Apple-Mail=_9E3DB5E2-607A-4E71-A405-81F5025C612A--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?379A9DE0-1D84-44F2-914F-3985FFA7320E>