Subject: pkg/28230: bsd.pkg.mk ignores /etc/audit-packages.conf
To: None <pkg-manager@netbsd.org, gnats-admin@netbsd.org,>
From: Hauke Fath <hauke@Espresso.Rhein-Neckar.DE>
List: pkgsrc-bugs
Date: 11/11/2004 21:43:00
>Number:         28230
>Category:       pkg
>Synopsis:       bsd.pkg.mk ignores /etc/audit-packages.conf
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Nov 11 21:43:00 +0000 2004
>Originator:     Hauke Fath <hauke@Espresso.Rhein-Neckar.DE>
>Release:        NetBSD 2.0_RC4
>Organization:
Falling Raindrops
>Environment:
	
	
System: NetBSD pizza.causeuse.org 2.0_RC4 NetBSD 2.0_RC4 (PIZZA) #16: Wed Oct 20 00:51:42 CEST 2004 hauke@pizza.causeuse.org:/var/obj/netbsd-builds/2_0/sparc/obj/sys/arch/sparc/compile/PIZZA sparc
Architecture: sparc
Machine: sparc
>Description:

	security/audit-packages sources /etc/audit-packages.conf where
	you can provide an alternate location for the
	download-vulnerability-list file. Unfortunately, mk/bsd.pkg.mk
	does not know about this preference file, and complains
	loudly:

===> *** No /usr/src/pkgsrc/distfiles/pkg-vulnerabilities file found,
===> *** skipping vulnerability checks. To fix, install
===> *** the pkgsrc/security/audit-packages package and run
===> *** '/usr/pkg/sbin/download-vulnerability-list'.

>How-To-Repeat:

	Set PKGVULNDIR in /etc/audit-packages.conf to a non-default
	location, schedule a nightly download-vulnerability-list run
	and be surprised about the warning that appears during each
	and every package build. Find that bsd.pkg.mk looks at the 
	PKGVULNDIR variable but does not bother with
	/etc/audit-packages.conf.

>Fix:

	Teach mk/bsd.pkg.mk to look at /etc/audit-packages.conf.
>Unformatted: