Subject: Re: vulnerabilities not being checked at package compile time
To: Steven M. Bellovin <>
From: Jeremy C. Reed <>
List: tech-pkg
Date: 09/01/2005 08:27:51
On Thu, 1 Sep 2005, Steven M. Bellovin wrote:

> I'm running audit-packages 1.38, which seems to put the vulnerability
> list in /usr/pkg/share/pkg-vulnerabilities.  However, 'make' is
> checking /usr/pkgsrc/distfiles/pkg-vulnerabilities.  I have up-to-date
> pkgsrc (from the head), up-to-date audit-packages, and up-to-date
> pkg_install.  Am I doing something wrong, or should I send-pr?
> (This is on -current from 13 August.)

This is based on the PKGVULNDIR setting. It defaults to ${DISTDIR} (your 
/usr/pkgsrc/distfiles). I guess your audit-packages was built with 
PKGVULNDIR set to /usr/pkg/share/.

You can also set PKGVULNDIR in your shell environment and 
download-vulnerability-list and audit-packages should use it. Or they can 
be set in your ${PKG_SYSCONFDIR}/audit-packages.conf file.

Look at your audit-packages script to see what is hard-coded in it, check 
your audit-packages.conf configuration, or see if PKGVULNDIR is defined in 

  Jeremy C. Reed

  	  	 	 Low cost press releases