Re: HEADS UP: security/audit-packages removal

To: Adrian Portelli <adrianp%stindustries.net@localhost>
Subject: Re: HEADS UP: security/audit-packages removal
From: Hisashi T Fujinaka <htodd%twofifty.com@localhost>
Date: Mon, 7 Jan 2008 16:00:23 -0800 (PST)

On Mon, 7 Jan 2008, Adrian Portelli wrote:

Hisashi T Fujinaka wrote:
...

I'm unclear on the whole thing. On my -current system, audit-packages
does nothing. Well, it does something but doesn't indicate anything.
What am I supposed to be doing to check my packages on -current?


Have a look at the MESSAGE from pkgsrc/pkgtools/pkg_install and see if
that answers any of your questions.  I'd point you to other sources on
www.netbsd.org but I've just realised they are not fully up to date :<
I'll get on to updating them ASAP, but basically you:

* Run download-vulnerability-list from cron to get the updated list of
vulnerable packages (a.k.a pkg-vulnerabilities)
* Run audit-packages from cron to scan for installed vulnerable packages

Also, if you install a package, and the pkgsrc infrastructure detects
you have the pkg-vulnerabilities file, it will warn you if the package
you are trying to install has any known security issues.


I'm also sane and run "stable" versions of netbsd on several
"production" servers rather than -current. What do I use instead of
audit-packages?


As I mentioned in my initial email all the functionality in
security/audit-packages is now in pkg_install.  Just make sure you have
a recent pkg_install package (i.e. post 20070714) and you will have all
the tools at your disposal.


Apparently something changed and I missed the notification, or perhaps
it was all decided on netbsd-core and the regular folks have no idea
what's going on. (Yes, this is yet another ignored complaint about
netbsd-core's opacity.)


The only real change that's gone on here is that security/audit-packages
has been replaced by tools in pkgtools/pkg_install.  With that
replacement has come extra functionality and improved performance.  So
basically is a case of "same job, different tools".  Nothing has been
hidden here and there are multiple emails to public lists and
announcements that detail this [1].  Also, all the tools have associated
man pages.

regards,

adrian.

[1]
http://mail-index.netbsd.org/tech-userlevel/2007/02/22/0003.html
http://mail-index.netbsd.org/tech-pkg/2007/05/25/0001.html
http://mail-index.netbsd.org/tech-pkg/2007/10/15/0008.html


OK. Thanks for the info and the background!

--
Hisashi T Fujinaka - htodd%twofifty.com@localhost
BSEE(6/86) + BSChem(3/95) + BAEnglish(8/95) + MSCS(8/03) + $2.50 = latte

References:
- HEADS UP: security/audit-packages removal
  - From: Adrian Portelli
- Re: HEADS UP: security/audit-packages removal
  - From: Greg Troxel
- Re: HEADS UP: security/audit-packages removal
  - From: Adrian Portelli
- Re: HEADS UP: security/audit-packages removal
  - From: Hisashi T Fujinaka
- Re: HEADS UP: security/audit-packages removal
  - From: Adrian Portelli

Prev by Date: Re: HEADS UP: security/audit-packages removal
Next by Date: subversion-base problem (I think it was neon)
Previous by Thread: Re: HEADS UP: security/audit-packages removal
Next by Thread: Re: HEADS UP: security/audit-packages removal
Indexes:

Home | Main Index | Thread Index | Old Index