On Tue, 21 Nov 2000 03:43:44 +0100 (MET), Hubert Feyrer wrote:

>  On Tue, 21 Nov 2000 itojun@iijlab.net wrote:
>  > 	if you would like to check already-installed packages,
>  > 	install pkgsrc/security/audit-packages and run
>  > 	% /usr/pkg/sbin/download-vulnerability-list
>  > 	% /usr/pkg/bin/audit-packages
>  
>  
>  Maybe the output of 'show-vulnerabilities' could be made a tiney bit more
>  helpful:
>  
>  miyu% cd /usr/pkgsrc/audio/gqmpeg/
>  miyu% make show-vulnerabilities
>  No vulnerabilities list found.
>  
>  Oh, and not displaying the whole "vulnerability" paragraph in README.html
>  files without any vulnerabilities would be nice.
>  And some words in Packlages.txt ...

The show-vulnerabilities target is not meant to be run directly, although
you can still do it if you want. You are meant to run the audit-packages
script. The show-vulnerabilities target is run automatically at the end of
the fake-pkg target to check that the package you have just installed has
any known exploits. You could add some text to Packages.txt if you want, but
I'd prefer it if you didn't, since that would only encourage people to use
what's meant to be an internal target.

% audit-packages
** Missing /usr/distfiles/vulnerabilities
** run download-vulnerability-list
%

and

% audit-packages
** /usr/distfiles/vulnerabilities more than a week old
** run download-vulnerability-list
%

The vulnerability paragraph in the README.html should stay, since it shows
that there are no known vulnerabilities for that package. It is just
confirmation that, as far as is known, there are no known exploits for the
package.


Rgards,
Alistair
--
Alistair Crooks (agc@pkgsrc.org)





_______________________________________________________
Tired of slow Internet? Get @Home Broadband Internet
http://www.home.com/xinbox/signup.html