Subject: improved pkg-vulnerabilities checking
To: None <>
From: Eric Haszlakiewicz <>
List: tech-pkg
Date: 11/09/2005 16:32:46
	It's bugged me for a while that the switch to turn off vulnerablity
checking when building packages is a all-or-nothing switch.  i.e.
skips checks for everything.  I changed so I can do things
like this instead:

Then, it occured to me that just because I ignore one particular
vulnerability I might still care about a new one that is discovered later.
So, in addition to the above I thought something like this might be workable:


Where the "vulerability id" is the index of the vulnerability in the
pkg-vulnerabilities file.  (i.e. line number, but not counting comment lines)
However, that seems somewhat fragile so I was thinking of changing the
format of the file so it looks like this:
<pkg pattern>   <vulnid>,<type>   <url>
libungif<4.1.3nb3   1520,remote-code-execution

and bumping the format version to 1.0.1.  (not 1.1, since it's still compatible
with old audit-packages script)
Then, since it's nice not to duplicate code, I combined it all into the
audit-packages script and had the package makefiles call that instead.

Patch is available at