pkg/39090: pkg_admin from pkg_install-renovation fails to run with 'fetch-pkg-vulnerabilities'

[srcshelton%gmail.com@localhost]

>Number:         39090
>Category:       pkg
>Synopsis:       pkg_admin from pkg_install-renovation fails to run with 
>'fetch-pkg-vulnerabilities'
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Jul 03 10:35:00 +0000 2008
>Originator:     Stuart Shelton
>Release:        pkgsrc latest from CVS
>Organization:
>Environment:
IRIX64 6.5.30m; MIPSpro Compilers: Version 7.4.4m
>Description:

I'm unsure as to whether this problem affects pkg_install (which no longer 
builds on IRIX) or only pkg_install-renovation:

download-vulnerability-list is now a wrapper around 'pkg_admin 
fetch-pkg-vulnerabilities'.  However, when invoked this only outputs:

# /usr/bsd/sbin/download-vulnerability-list 
usage: pkg_admin [-bqSvV] [-C config] [-d lsdir] [-K pkg_dbdir] [-s sfx] 
command args ...
Where 'commands' and 'args' are:
 rebuild                     - rebuild pkgdb from +CONTENTS files
 rebuild-tree                - rebuild +REQUIRED_BY files from forward deps
 check [pkg ...]             - check md5 checksum of installed files
 add pkg ...                 - add pkg files to database
 delete pkg ...              - delete file entries for pkg in database
 set variable=value pkg ...  - set installation variable for package
 unset variable pkg ...      - unset installation variable for package
 lsall /path/to/pkgpattern   - list all pkgs matching the pattern
 lsbest /path/to/pkgpattern  - list pkgs matching the pattern best
 dump                        - dump database
 pmatch pattern pkg          - returns true if pkg matches pattern, otherwise 
false
 fetch-pkg-vulnerabilities [-s] - fetch new vulnerability file
 check-pkg-vulnerabilities [-s] <file> - check syntax and checksums of the 
vulnerability file
 audit [-es] [-t type] ...       - check installed packages for vulnerabilities
 audit-pkg [-es] [-t type] ...   - check listed packages for vulnerabilities
 audit-batch [-es] [-t type] ... - check packages in listed files for 
vulnerabilities
 audit-history [-t type] ...     - print all advisories for package names
 config-var name                 - print current value of the configuration 
variable
 check-signature ...         - verify the signature of packages
 sign-package pkg spkg key cert  - create signature

... furthermore manually running:

# pkg_admin -K /usr/bsd/var/db/pkg fetch-pkg-vulnerabilities

... results in the same output.
>How-To-Repeat:

Looking at a trace of what pkg_admin is doing, it repeatedly tries from open 
"/usr/bsd/etc/pkg_install.conf", and then print its usage string when this 
fails.

This file doesn't exist on my system - having created one from the values in 
the manpage, it is read but I still see the usage text.

I've added values for VERIFIED_INSTALLATION, PKGVULNDIR, and PKGVULNURL.  I 
don't know what the correct value is for CERTIFICATE_ANCHOR_PKGS or 
CERTIFICATE_CHAIN, however (assuming that these do need to exist in advance) - 
but would a lack of this value cause vulnerabilities to not even be downloaded?

pkg_admin really needs better error reporting, to make it clear what values it 
is expecting to find and can't - and so why it is failing.
>Fix: