pkgsrc-changes: Re: CVS commit: pkgsrc/security/audit-packages

Subject: Re: CVS commit: pkgsrc/security/audit-packages
To: Alistair Crooks <agc@pkgsrc.org>
From: Jeremy C. Reed <reed@reedmedia.net>
List: pkgsrc-changes
Date: 12/30/2005 09:46:10
On Fri, 30 Dec 2005, Alistair Crooks wrote:

>>> You can use a MESSAGE.common for the common parts and then the
>>> MESSAGE.${OPSYS} for the specific parts. My own pkgsrc has a
>>> security/audit-packages/MESSAGE.NetBSD
>>
>> The point is you don't have to add the MESSAGE related lines to the
>> Makefile, as it is done automatically.
>
> Thanks, I'm aware of what you can do with MESSAGE file processing.
>
> What I was looking for with this commit was a way to say "do this for
> every operating system except DragonFly", and I could see no easy way
> of doing that.  I'd be happy to be proved wrong.

I was trying to show that.

cp MESSAGE MESSAGE.common
cp MESSAGE MESSAGE.NetBSD
rm MESSAGE
vi MESSAGE.common # and make it common for all operating systems
vi MESSAGE.NetBSD # and leave just the NetBSD specific part
vi Makefile # and edit out any of the MESSAGE processing
vi MESSAGE.DragonFly # and leave just the DragonFly specific part
cvs rm MESSAGE
cvs add MESSAGE.common MESSAGE.NetBSD
cvs commit MESSAGE.common MESSAGE.NetBSD MESSAGE

(Sorry I don't have a patch since my audit-packages has many changes.)

> I also don't see any real need for it to be changed since we've had
> the MESSAGE handling in its present form for some time now, and this
> is the first exception we've found.

I don't understand. The way you have it now you get a NetBSD specific 
MESSAGE for Linux and other non-NetBSD operating systems (except 
DragonFly).

>>> I also have this patch (in my new MESSAGE.common but based on old MESSAGE):
>>
>> Sorry, it was reversed. Here again:
>>
>>  You may wish to have the vulnerabilities file downloaded daily so that
>> -it remains current.  This may be done by adding an appropriate entry
>> -to the root users crontab(5) entry.  For example the entry
>> +it remains current.  This may be done by adding an appropriate crontab(5)
>> +entry.  For example the entry
>
> This also needs to be done for operating systems like Solaris, where I
> strongly doubt there's any /etc/security.local, although I admit I
> haven't looked lately.

I think we have some type of miscommunication. The above diff doesn't have 
anything operating system specific; it is the MESSAGE.common and the 
MESSAGE.NetBSD is just:

===========================================================================
$NetBSD$

In addition, you may wish to run the package audit from the daily
security script.  This may be accomplished by adding the following
lines to /etc/security.local

if [ -x ${PREFIX}/sbin/audit-packages ]; then
         ${PREFIX}/sbin/audit-packages
fi

===========================================================================

You could always add MESSAGE.SunOS later.

Maybe the MESSAGE.common could the audit-packages -d switch. Or show the 
audit-packages ran with a crontab entry also.

And then the MESSAGE.${OPSYS} could have the local way do the download and 
run audit-packages. (The way it is now assumes that the 
/etc/security.local runs fifteen minutes after the 
download-vulnerability-list.)


  Jeremy C. Reed

  	  	 	 technical support & remote administration
 	  	 	 http://www.pugetsoundtechnology.com/