Subject: Re: vulnerabilities report..
To: Hubert Feyrer <>
From: Alistair Crooks <>
List: tech-pkg
Date: 11/21/2000 02:26:29
On Tue, 21 Nov 2000 03:43:44 +0100 (MET), Hubert Feyrer wrote:

>  On Tue, 21 Nov 2000 wrote:
>  > 	if you would like to check already-installed packages,
>  > 	install pkgsrc/security/audit-packages and run
>  > 	% /usr/pkg/sbin/download-vulnerability-list
>  > 	% /usr/pkg/bin/audit-packages
>  Maybe the output of 'show-vulnerabilities' could be made a tiney bit more
>  helpful:
>  miyu% cd /usr/pkgsrc/audio/gqmpeg/
>  miyu% make show-vulnerabilities
>  No vulnerabilities list found.
>  Oh, and not displaying the whole "vulnerability" paragraph in README.html
>  files without any vulnerabilities would be nice.
>  And some words in Packlages.txt ...

The show-vulnerabilities target is not meant to be run directly, although
you can still do it if you want. You are meant to run the audit-packages
script. The show-vulnerabilities target is run automatically at the end of
the fake-pkg target to check that the package you have just installed has
any known exploits. You could add some text to Packages.txt if you want, but
I'd prefer it if you didn't, since that would only encourage people to use
what's meant to be an internal target.

% audit-packages
** Missing /usr/distfiles/vulnerabilities
** run download-vulnerability-list


% audit-packages
** /usr/distfiles/vulnerabilities more than a week old
** run download-vulnerability-list

The vulnerability paragraph in the README.html should stay, since it shows
that there are no known vulnerabilities for that package. It is just
confirmation that, as far as is known, there are no known exploits for the

Alistair Crooks (

Tired of slow Internet? Get @Home Broadband Internet