netbsd-bugs: pkg/12457: download-vulnerability-list doesn't support audit-packages

Subject: pkg/12457: download-vulnerability-list doesn't support audit-packages
To: None <gnats-bugs@gnats.netbsd.org>
From: None <jbernard@mines.edu>
List: netbsd-bugs
Date: 03/23/2001 07:22:18

>Number:         12457
>Category:       pkg
>Synopsis:       download-vulnerability-list doesn't support audit-packages
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Mar 23 06:26:00 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     Jim Bernard
>Release:        March 23, 2001
>Organization:
>Environment:
System: NetBSD zoo 1.5S NetBSD 1.5S (ZOO-$Revision: 1.62 $) #0: Thu Mar 15 19:51:01 MST 2001 jim@zoo:/home/tmp/compile/sys/arch/i386/compile/ZOO i386
Architecture: i386
Machine: i386
>Description:
	The audit-packages script complains if the vulnerabilities file
	is more than one week old.  But the download-vulnerability-list
	script does not update the timestamp on the file if the
	vulnerabilities file on ftp.netbsd.org has not changed.  Hence,
	audit-packages makes spurious complaints about the age of the
	file, even if download-vulnerability-list has just been run.

	A second problem, also fixed below, is that the temporary file
	in which the download-vulnerability-list script stores the
	downloaded file is not deleted if it is identical to the local
	copy, so these build up over time, polluting the distfiles
	directory.

>How-To-Repeat:
	It's obvious from reading the script, but running the pair of
	scripts daily (e.g. in security.local) is a good (but slow!)
	way to discover that there is a problem.

>Fix:
	The download-vulnerability-list script should always touch the
	list file if it has successfully downloaded the current version,
	even if it doesn't change the local copy.  While here, I took
	the opportunity to make sure the script deletes the temporary
	file if it doesn't update the "permanent" copy.

--- download-vulnerability-list-dist	Wed Mar 21 05:00:38 2001
+++ download-vulnerability-list	Fri Mar 23 06:59:35 2001
@@ -8,10 +8,14 @@
 fi
 
 ${FETCH_CMD} -o ${NEW_VUL_LIST} ftp://ftp.netbsd.org/pub/NetBSD/packages/distfiles/vulnerabilities || \
 	(echo "Can't download vulnerability list"; exit 1)
 
-/usr/bin/cmp -s ${NEW_VUL_LIST} ${DISTDIR}/vulnerabilities > /dev/null 2>&1 || \
-	(/bin/mv ${NEW_VUL_LIST} ${DISTDIR}/vulnerabilities; \
-	 ${TOUCH} ${DISTDIR}/vulnerabilities)
+if /usr/bin/cmp -s ${NEW_VUL_LIST} ${DISTDIR}/vulnerabilities > /dev/null 2>&1
+then
+	/bin/rm ${NEW_VUL_LIST}
+else
+	/bin/mv ${NEW_VUL_LIST} ${DISTDIR}/vulnerabilities
+fi
+${TOUCH} ${DISTDIR}/vulnerabilities
 
 exit 0
>Release-Note:
>Audit-Trail:
>Unformatted: