Subject: Re: pkg/19479: pkgsrc waits until package is built to check for security alert
To: Jeremy C. Reed <reed@reedmedia.net>
From: John Franklin <franklin@elfie.org>
List: tech-pkg
Date: 12/20/2002 22:18:41
On Fri, Dec 20, 2002 at 04:59:26PM -0800, Jeremy C. Reed wrote:
> On Fri, 20 Dec 2002 franklin@elfie.org wrote:
> 
> > >Synopsis:  pkgsrc waits until package is built to check for security
> > >alert
> 
> > >How-To-Repeat:
> >
> > cd /usr/pkgsrc
> > cvs update -r netbsd-1-5-PATCH003
> 
> You requested the old (non-updated) version.

Updated binary packages aren't available on ftp.netbsd.org for 1.5.3,
which means I have to build them myself.

The pkgsrc-current makefiles don't work with out some new .mk files or
the -current make and possibly the rest of the toolchain.  I'm not sure
which, and when I'm running a production system looking for updated
packages to fix security holes, I'm not interested in debugging it.

> > cd www/w3m
> > make install
> > >Fix:
> >
> > Add checks early on in the make process that a package has a security
> > alert issued for it.
> 
> Are you talking about audit-packages?
> 
> Are you suggesting checking the vulnerabilities list at beginning of the
> make? That does sound like an okay idea (if audit-packages is installed).

Yes, and yes.

jf
-- 
John Franklin
franklin@elfie.org
ICBM: 3543'56"N 7853'27"W