On Thu, Aug 29, 2002 at 04:01:07PM -0400, John Franklin wrote:
> On Thu, Aug 29, 2002 at 03:50:53PM -0400, Steven M. Bellovin wrote:
> > In message <20020829192035.GA532@antioche.eu.org>, Manuel Bouyer writes:
> > >
> > >It's in pkgsrc. The binary may not be there for the same reason as
> > >mozilla.
> > 
> > And of course, right now the pkgsrc version of Mozilla has a security
> > advisory on it...
> 
> Is there some way pkg_add could detect and inform the user of packages
> that are missing because of security advisories?  (Obviously, from

Not pkg_add, because you may not have network available at this time
(I need to install xisp to have network access ...)

> network sources.)  Similarly, does pkg_add take advantage of
> audit-packages if present?  Say, you install a package from a CDROM
> that's old and has a security advisory on it.  Pkg-add could allow it to
> proceed (user selectable), but inform the user of the advisory via
> audit-packages.

It's much, much better to run audit-packages from cron. Because the package
isn't marked as vulnerable at pkg_add time doesn't mean it won't be a few
days later.

-- 
Manuel Bouyer <bouyer@antioche.eu.org>
--