Subject: audit-packages is not capable of dealing with the likes of BIND-9 vs. BIND-8
To: NetBSD Packages Technical Discussion List <tech-pkg@NetBSD.ORG>
From: Greg A. Woods <firstname.lastname@example.org>
Date: 07/08/2002 13:56:16
I've been geting this rather annoying and incorrect warning of late:
[ On Monday, July 8, 2002 at 03:20:24 (-0400), Charlie Root wrote: ]
> Subject: sometimes daily insecurity output for Mon Jul 8 03:15:01 EDT 2002
> Running /usr/sbin/download-vulnerability-list:
> Trying 3ffe:8050:201:1860:2e0:81ff:fe03:ecf2...
> Trying 18.104.22.168...
> Running /usr/sbin/audit-packages:
> Package bind-8.3.3 has a denial-of-service vulnerability, see http://www.cert.org/advisories/CA-2002-15.html
Well I finally got around to looking at its cause, and it appears to be
a case where audit-packages, and thus really pkg_info, is incapable of
understanding package names which include part of the version number.
I the only real solution I can think of is to set net/bind9's PKGNAME to
be "bind9", not "bind" (and fix the vulnerabilities file of course). I
suppose net/bind8 should be changed similarly, as well as any other
package where there are two major branches of a project in active use
(i.e. supported in pkgsrc) and they currently go by the same basename.
This is, BTW, why my updates in PR#16202 included the beginnings of
confilicts for the other bind packages -- I just hadn't gotten around to
making the PKGNAME changes and I'd forgotten why I was trying to do
Greg A. Woods
+1 416 218-0098; <email@example.com>; <firstname.lastname@example.org>
Planix, Inc. <email@example.com>; VE3TCP; Secrets of the Weird <firstname.lastname@example.org>