On Sun, Feb 27, 2005 at 05:07:34PM +0100, Roland Illig wrote:
> Alistair Crooks wrote:
> >I took smb's suggestion, and added a check in for a metacharacter in the
> >"skip" case, which makes things a lot faster for me, and restores the
> >previous behaviour of only running a pkg_admin check if the PKGBASE is
> >the vulnerable pattern, or if there's a metacharacter in the pattern.
> >
> >Further testing is needed - hence this mail.
> 
> I like your patch, too, especially because it is so much shorter than 
> mine. But it is also a bit slower, because it still calls pkg_admin 57 
> times instead of only one time:
> 
>   $ cd /usr/pkgsrc/pkgtools/pkglint
>   $ make check-vulnerable PKG_ADMIN=true | grep WARNING | wc -l
>       57

Yes, that matches with the number of patterns which contain '{' in them
in pkg-vulnerabilities.
 
> Your patch restricts us a bit on the valid PKGBASE names to not use any 
> regexp metacharacters. We already have packages that contain regexp 
> metacharacters:
> 
>   $ cd /usr/pkgsrc
>   $ ls -d */*/ | grep -Eiv '^[-a-z0-9]+/[-_a-z0-9]+/$'
> 
> Also we must agree that every pattern in pkg-vulnerabilities contains 
> the complete PKGBASE as a substring, which is not required by now. So if 
> you commit your patch, please update the documentation in the 
> pkg-vulnerabilities file.

Good point. However, this has always been the case since we introduced
the audit-packages package back in September 2000.

Your modifications to pkg_admin are good, but there are a number of things
that we'd need to do as well if we are to introduce them:

1.  bump the pkg_install version number, and then PKGTOOLS_REQD for
everyone who is building packages (not a particularly onerous thing,
but it can be a PITA if you have a lot of machines to manage)

2.  decide what to do about audit-packages - take advantage of the
speed-up from an improved pkg_admin, or stick with the problems of
regexp metacharacters?

3.  if we do that for audit-packages, we'd have to introduce a check
in audit-packages that the pkg_install tools were up to date, and
this is where it gets hairy. Possibly one way around this is to
take advantage of an improved pkg_admin if it will do the job, and
fallback to the existing method if not.

However, the speed at the moment is not acceptable, especially on
slower platforms.

For just now, I think I will commit the short-term one-liner to get
us back to where we were before, and long-term we should address
the issues above.

Thanks for looking at this,
Alistair