Subject: Re: adding check for binary packages to audit-packages
To: Jeremy C. Reed <>
From: Alistair Crooks <>
List: tech-pkg
Date: 05/12/2005 13:00:04
On Wed, May 11, 2005 at 04:00:43PM -0700, Jeremy C. Reed wrote:
> I needed a quick way to list which of my binary packages had
> vulnerabilities. lintpkgsrc is way too slow! My quick solution follows.

What a marvellous idea!

Whilst we're at it, I've noticed that my backups take longer than they
used to - too much data! - and so I'd like to propose that we add a
switch to audit-packages which would do my backups as well. They are
run at roughly the same time of day after all on some of my boxes.
Other, more vulnerable ones, run audit-packages every 4 hours or so.
> I'd like to suggest that the default PKGVULNDIR is somewhere that is on
> all systems using NetBSD packages, such as ${PKG_DBDIR} (like
> /var/db/pkg-vulnerabilities).

The default was chosen because it was known to be a writable directory
for pkgsrc. It has subsequently been changed to be able to be set on
machines where such a writable directory does not exist.

Believe me, the *LAST* place I want to be writable by anyone on DMZ
machines or similar bastions is the PKG_DBDIR directory.
> The code for figuring out the fetch command and that complaint of unknown
> fetch command probably should be done at pkgsrc build time of the package
> and not needed in the end result script. Anyone want to improve that?

No, it shouldn't be done like that - the way it is now allows people
to use different FETCH_CMDs.  Please don't try to change this.
> And maybe provide some way to have multiple pkg-vulnerabilities files. Any
> thoughts on that? For example, if you use or offer pkgsrc packages not
> included in official NetBSD pkgsrc.

I have no problems with doing that for yourself, but this falls under
the heading of "why don't we allow downloading the pkg-vulnerabilities
file from any sites other than the official one?", and hopefully the
answer should be fairly obvious why we don't.