This morning I got a large number of emails from audit-packages that
said things like:

** /n0/ANONCVS/pkgsrc/distfiles/pkg-vulnerabilities more than a week old
** Please run download-vulnerability-list

I fetch through a squid (via ftp_proxy environment variable set in
crontab), but that seems not to be involved; the file seems not to
have been updated:

fnord gdt 15 ~ > ftp
ftp://ftp.NetBSD.org/pub/NetBSD/packages/distfiles/
Trying 2001:4f8:4:7:2e0:81ff:fe21:6563...
Connected to ftp.NetBSD.org.
220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20020615) ready.
331 Guest login ok, type your name as password.
230-[omitted]
250 CWD command successful.
ftp> dir pkg-vulnerabilities
229 Entering Extended Passive Mode (|||51380|)
150 Opening ASCII mode data connection for '/bin/ls'.
-rw-rw-r--  1 1176  netbsd  39954 Dec  4 12:01 pkg-vulnerabilities
226 Transfer complete.
ftp>

I can certainly believe that we had a week without any
newly-discovered vulnerabilities.  But audit-packages is treating
pkg-vulnerabilities like a Certificate Revocation List (CRL), and it
is finding that it doesn't have a current CRL.

So either download-vulnerability-list should someone indicate
freshness of the file, e.g. by touching verified-pkg-vulnerabilities
(pkg-vulnerabilities really should have the same date locally as on
the origin server IMHO), or the file should get updated often enough
even if the timestamp just changes.  This would follow good PKI
practices of issuing a new CRL at the stated interval even if there
are no revocations; the point is for a client to be able to know that
they have the updated list.

-- 
        Greg Troxel <gdt@ir.bbn.com>