Subject: pkg/32092: audit-packages version skew breaks badly
To: None <firstname.lastname@example.org, email@example.com,>
From: None <firstname.lastname@example.org>
Date: 11/17/2005 00:04:00
>Synopsis: audit-packages version skew wedges package system
>Arrival-Date: Thu Nov 17 00:04:00 +0000 2005
>Originator: David A. Holland <email@example.com>
>Release: NetBSD 2.0 (pkgsrc of 20051116)
System: NetBSD rhett 2.0 NetBSD 2.0 (GENERIC) #0: Wed Dec 1 10:58:25 UTC 2004 builds@build:/big/builds/ab/netbsd-2-0-RELEASE/i386/200411300000Z-obj/big/builds/ab/netbsd-2-0-RELEASE/src/sys/arch/i386/compile/GENERIC i386
If audit-packages is out of date, the ALLOW_VULNERABILITIES.*
In particular, I had last updated anything on this machine
sometime in August, and after cvs updating pkgsrc tonight I
got bitten by this.
It wedged the package system: before I could install anything
else, I had to update pkg_install, but I couldn't update
pkg_install either because the build system thought that some
unrelated vulnerabilities in other packages pertained to it.
Somewhat relatedly, audit-packages seems to depend on itself:
as part of an unwise workaround attempt I pkg_delete'd it, and
now that I have pkg_install updated I get this:
rhett# cd security/audit-packages
rhett# make update
===> Checking for vulnerabilities in audit-packages-1.40
===> *** The audit-packages package must be at least version 0.40
===> *** Please install pkgsrc/security/audit-packages package and run
===> *** '/usr/pkg/sbin/download-vulnerability-list'.
*** Error code 1
Additionally, after this message one gets
or if this package is absolutely essential, add this to mk.conf:
that is, the error message is being mishandled. And in the
process it seems to have been globbed by the shell, which is
itself probably a bad sign.
Get a suitably old version of audit-packages (my guess is that
reverting version 1.24 of security/audit-packages/files/audit-packages
will do the trick), install some package with a known vulnerability,
and try to build pkg_install. It might also be necessary to revert
pkg_install. (The previous version I had was, I believe, 20050718.)
I haven't actually tested this.
(To repeat the audit-packages problem, it should be sufficient
to pkg_delete it and attempt to reinstall it using today's
Most importantly, the proper workaround for the problem
is to delete everything but the header from the package
vulnerabilities file, update pkg_install and audit-packages,
then rerun download-vulnerability-list. I haven't actually
tried this but it should do the trick.
Deleting audit-packages to try to disable or fake out the
check was clearly the wrong idea. :-/
The proper fix:
1. pkg_install and audit-packages should always skip the
2. Setting ALLOW_VULNERABLE_PACKAGES=1 should still skip the
vulnerability check. Right now, it doesn't.
While it might be possible to work around the problem using
the new ALLOW_VULNERABILITIES logic, that's far from clear
and it's not at all obvious at this stage what the right
incantation would be. What the system suggests has the same
form as the paste above.
(Also, ALLOW_VULNERABLE_PACKAGES will still be useful for
3. The check that the version of audit-packages is >= 0.40
was presumably meant to be 1.40. Either that or it needs to
4. ...and obviously the problem with the adding-to-mk.conf
message ought to be straightened out, too.