Subject: pkg/28230: bsd.pkg.mk ignores /etc/audit-packages.conf
To: None <pkg-manager@netbsd.org, gnats-admin@netbsd.org,>
From: Hauke Fath <hauke@Espresso.Rhein-Neckar.DE>
List: pkgsrc-bugs
Date: 11/11/2004 21:43:00
>Number: 28230
>Category: pkg
>Synopsis: bsd.pkg.mk ignores /etc/audit-packages.conf
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: pkg-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Nov 11 21:43:00 +0000 2004
>Originator: Hauke Fath <hauke@Espresso.Rhein-Neckar.DE>
>Release: NetBSD 2.0_RC4
>Organization:
Falling Raindrops
>Environment:
System: NetBSD pizza.causeuse.org 2.0_RC4 NetBSD 2.0_RC4 (PIZZA) #16: Wed Oct 20 00:51:42 CEST 2004 hauke@pizza.causeuse.org:/var/obj/netbsd-builds/2_0/sparc/obj/sys/arch/sparc/compile/PIZZA sparc
Architecture: sparc
Machine: sparc
>Description:
security/audit-packages sources /etc/audit-packages.conf where
you can provide an alternate location for the
download-vulnerability-list file. Unfortunately, mk/bsd.pkg.mk
does not know about this preference file, and complains
loudly:
===> *** No /usr/src/pkgsrc/distfiles/pkg-vulnerabilities file found,
===> *** skipping vulnerability checks. To fix, install
===> *** the pkgsrc/security/audit-packages package and run
===> *** '/usr/pkg/sbin/download-vulnerability-list'.
>How-To-Repeat:
Set PKGVULNDIR in /etc/audit-packages.conf to a non-default
location, schedule a nightly download-vulnerability-list run
and be surprised about the warning that appears during each
and every package build. Find that bsd.pkg.mk looks at the
PKGVULNDIR variable but does not bother with
/etc/audit-packages.conf.
>Fix:
Teach mk/bsd.pkg.mk to look at /etc/audit-packages.conf.
>Unformatted: