Subject: Re: vulnerabilities not being checked at package compile time
To: Jeremy C. Reed <>
From: Steven M. Bellovin <>
List: tech-pkg
Date: 09/01/2005 11:39:28
In message <>, "Jeremy 
C. Reed" writes:
>On Thu, 1 Sep 2005, Steven M. Bellovin wrote:
>> I'm running audit-packages 1.38, which seems to put the vulnerability
>> list in /usr/pkg/share/pkg-vulnerabilities.  However, 'make' is
>> checking /usr/pkgsrc/distfiles/pkg-vulnerabilities.  I have up-to-date
>> pkgsrc (from the head), up-to-date audit-packages, and up-to-date
>> pkg_install.  Am I doing something wrong, or should I send-pr?
>> (This is on -current from 13 August.)
>This is based on the PKGVULNDIR setting. It defaults to ${DISTDIR} (your 
>/usr/pkgsrc/distfiles). I guess your audit-packages was built with 
>PKGVULNDIR set to /usr/pkg/share/.
>You can also set PKGVULNDIR in your shell environment and 
>download-vulnerability-list and audit-packages should use it. Or they can 
>be set in your ${PKG_SYSCONFDIR}/audit-packages.conf file.
>Look at your audit-packages script to see what is hard-coded in it, check 
>your audit-packages.conf configuration, or see if PKGVULNDIR is defined in 

I don't recall ever setting it explicitly, but I think the last time 
audit-packages was built it was under pkg_comp, which may have had some 

Different packages shouldn't have different defaults....

		--Steven M. Bellovin,