Subject: Re: Proposed audit-packages changes
To: None <tech-pkg@NetBSD.org>
From: Johnny C. Lam <jlam@pkgsrc.org>
List: tech-pkg
Date: 11/22/2005 08:24:56
--d6Gm4EdcadzBjdND
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
On Tue, Nov 22, 2005 at 07:57:14AM +0000, Johnny C. Lam wrote:
>
> One alternative to the last change is that CHECK_VULNERABILITIES should
> default to "yes", but that specific packages should hardcode
> "CHECK_VULNERABILITIES=no" in their package Makefiles. This would
> have the effect of making skipping the checks when building those
> packages, but doesn't affect the vulnerability scan for those packages
> when running audit-packages on the command line. The candidate packages
> are likely to be:
>
> pkgtools/digest
> pkgtools/pkg_install
> security/audit-packages
The attached patch implements the alternative I describe above. The
audit-packages build dependency is pulled in and built automatically
if CHECK_VULNERABILITIES is "yes". This causes the default pkgsrc
setup to behave exactly like the old behavior except that we use
audit-packages instead of standalone audit code to perform the
vulnerability checks. It also allows the current
ALLOW_VULNERABILITIES.<pkgbase> functionality added by <erh> to continue
to work. I think this is the best of both worlds, so this should be
the way to go.
Cheers,
-- Johnny Lam <jlam@pkgsrc.org>
--d6Gm4EdcadzBjdND
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="vuln2.diff"
Index: bsd.pkg.mk
===================================================================
RCS file: /cvsroot/pkgsrc/mk/bsd.pkg.mk,v
retrieving revision 1.1767
diff -u -r1.1767 bsd.pkg.mk
--- bsd.pkg.mk 22 Nov 2005 03:41:20 -0000 1.1767
+++ bsd.pkg.mk 22 Nov 2005 08:18:37 -0000
@@ -1314,59 +1314,52 @@
${FALSE} ;; \
esac
-# check for any vulnerabilities in the package
+# Check for any vulnerabilities in the package
-_AUDIT_PACKAGES_MIN_VERSION=1.40
-_AUDIT_PACKAGES_OK!= ${PKG_INFO} -qe 'audit-packages>=${_AUDIT_PACKAGES_MIN_VERSION}' ; echo $$?
+_AUDIT_PACKAGES_REQD= 1.40
-# Note: _any_ output from check-vulnerable is considered an error by do-fetch.
.PHONY: check-vulnerable
check-vulnerable:
-.if empty(_AUDIT_PACKAGES_OK:M0)
- @${ECHO_MSG} "${_PKGSRC_IN}> *** The audit-packages package must be at least version ${_AUDIT_PACKAGES_MIN_VERSION}"
- @${ECHO_MSG} "${_PKGSRC_IN}> *** Please install the security/audit-packages package and run";
- @${ECHO_MSG} "${_PKGSRC_IN}> *** '${LOCALBASE}/sbin/download-vulnerability-list'.";
- @false
-.else
- @${AUDIT_PACKAGES} -i ""${ALLOW_VULNERABILITIES.${PKGBASE}:Q} -p ${PKGNAME:Q}
-.endif
-
-
-.if defined(ALLOW_VULNERABILITIES.${PKGBASE})
-_ALLOW_VULNERABILITIES=${ALLOW_VULNERABILITIES.${PKGBASE}}
-.else
-_ALLOW_VULNERABILITIES=#none
-.endif
-
-.PHONY: do-fetch
-.if !target(do-fetch)
-do-fetch:
-. if empty(SKIP_AUDIT_PACKAGES:M[Yy][Ee][Ss]) && empty(_ALLOW_VULNERABILITIES:M[Yy][Ee][Ss])
+.if !empty(CHECK_VULNERABILITIES:M[yY][eE][sS])
${_PKG_SILENT}${_PKG_DEBUG} \
- if [ -f ${PKGVULNDIR}/pkg-vulnerabilities ]; then \
- ${ECHO_MSG} "${_PKGSRC_IN}> Checking for vulnerabilities in ${PKGNAME}"; \
- vul=`${MAKE} ${MAKEFLAGS} check-vulnerable || ${TRUE}`; \
- case "$$vul" in \
- "") ;; \
- *vulnid:*) vulnids=`echo "$$vul" | ${GREP} vulnid: | ${SED} -e's/.*vulnid:\\([[:digit:]]*\\).*/\\1/'`; \
- ${ECHO} "$$vul"; \
- ${ECHO} "or if this package is absolutely essential, add this to mk.conf:"; \
- for vulnid in $$vulnids ; do \
- ${ECHO} " ALLOW_VULNERABILITIES.${PKGBASE}+=$$vulnid"; \
- done ; \
- ${FALSE} ;; \
- *) ${ECHO} "$$vul"; \
- ${FALSE} ;; \
- esac; \
+ vers=${_AUDIT_PACKAGES_REQD:Q}; \
+ if ${PKG_INFO} -qe "audit-packages>=$$vers"; then \
+ : ; \
else \
- ${ECHO_MSG} "${_PKGSRC_IN}> *** No ${PKGVULNDIR}/pkg-vulnerabilities file found,"; \
- ${ECHO_MSG} "${_PKGSRC_IN}> *** skipping vulnerability checks. To fix, install"; \
- ${ECHO_MSG} "${_PKGSRC_IN}> *** the pkgsrc/security/audit-packages package and run"; \
+ ${ECHO_MSG} "${_PKGSRC_IN}> *** The audit-packages package must be at least version $$vers."; \
+ ${ECHO_MSG} "${_PKGSRC_IN}> *** Please install the security/audit-packages package and run"; \
${ECHO_MSG} "${_PKGSRC_IN}> *** '${LOCALBASE}/sbin/download-vulnerability-list'."; \
+ ${FALSE}; \
fi
-. else
- @${ECHO_MSG} "${_PKGSRC_IN}> *** Skipping vulnerability checks for ${PKGNAME}"
-. endif
+ ${_PKG_SILENT}${_PKG_DEBUG} \
+ vulndb=${PKGVULNDIR:Q}/pkg-vulnerabilities; \
+ if [ ! -f "$$vulndb" ]; then \
+ ${ECHO_MSG} "${_PKGSRC_IN}> *** No $$vulndb file found;"; \
+ ${ECHO_MSG} "${_PKGSRC_IN}> *** skipping vulnerability checks. To fix, install"; \
+ ${ECHO_MSG} "${_PKGSRC_IN}> *** the pkgsrc/security/audit-packages package and run"; \
+ ${ECHO_MSG} "${_PKGSRC_IN}> *** '${LOCALBASE}/sbin/download-vulnerability-list'."; \
+ exit 0; \
+ fi; \
+ ${ECHO_MSG} "${_PKGSRC_IN}> Checking for vulnerabilities in ${PKGNAME}"; \
+ ${AUDIT_PACKAGES} -i ""${ALLOW_VULNERABILITIES.${PKGBASE}:Q} \
+ -p ${PKGNAME:Q} | \
+ ${AWK} '{ print; \
+ if (match($$0, "vulnid:[0-9]*")) \
+ a[n++] = substr($$0, RSTART, RLENGTH); \
+ } \
+ END { \
+ if (n == 0) exit; \
+ print "If this package is absolutely essential, " \
+ "add the following to mk.conf:"; \
+ for (i = 0; i < n; i++) \
+ print " ALLOW_VULNERABILITIES.${PKGBASE}+= " a[i]; \
+ exit 1; \
+ }'
+.endif # CHECK_VULNERABILITIES
+
+.PHONY: do-fetch
+.if !target(do-fetch)
+do-fetch: check-vulnerable
. if !empty(_ALLFILES)
${_PKG_SILENT}${_PKG_DEBUG} \
${TEST} -d ${_DISTDIR} || ${MKDIR} ${_DISTDIR}
Index: bsd.pkg.use.mk
===================================================================
RCS file: /cvsroot/pkgsrc/mk/bsd.pkg.use.mk,v
retrieving revision 1.23
diff -u -r1.23 bsd.pkg.use.mk
--- bsd.pkg.use.mk 21 Sep 2005 20:37:01 -0000 1.23
+++ bsd.pkg.use.mk 22 Nov 2005 08:18:37 -0000
@@ -7,6 +7,10 @@
# ${PREFIX} selection
############################################################################
+.if !empty(CHECK_VULNERABILITIES:M[yY][eE][sS])
+USE_TOOLS+= audit-packages
+.endif
+
.if defined(USE_IMAKE) || !empty(USE_TOOLS:Mimake)
PLIST_SUBST+= IMAKE_MAN_SOURCE_PATH=${IMAKE_MAN_SOURCE_PATH}
PLIST_SUBST+= IMAKE_MAN_DIR=${IMAKE_MAN_DIR}
Index: bsd.prefs.mk
===================================================================
RCS file: /cvsroot/pkgsrc/mk/bsd.prefs.mk,v
retrieving revision 1.210
diff -u -r1.210 bsd.prefs.mk
--- bsd.prefs.mk 16 Nov 2005 20:59:23 -0000 1.210
+++ bsd.prefs.mk 22 Nov 2005 08:18:37 -0000
@@ -497,7 +497,7 @@
PKG_INFO_CMD?= ${PKG_TOOLS_BIN}/pkg_info
PKG_VIEW_CMD?= ${PKG_TOOLS_BIN}/pkg_view
LINKFARM_CMD?= ${PKG_TOOLS_BIN}/linkfarm
-AUDIT_PACKAGES_CMD?= ${LOCALBASE}/sbin/audit-packages
+#AUDIT_PACKAGES_CMD?= ${LOCALBASE}/sbin/audit-packages
.if !defined(PKGTOOLS_VERSION)
PKGTOOLS_VERSION!= ${PKG_INFO_CMD} -V 2>/dev/null || echo 20010302
@@ -528,7 +528,7 @@
PKG_INFO?= ${PKGTOOLS_ENV} ${PKG_INFO_CMD} ${PKGTOOLS_ARGS}
PKG_VIEW?= ${PKGTOOLS_ENV} ${PKG_VIEW_CMD} ${PKG_VIEW_ARGS}
LINKFARM?= ${LINKFARM_CMD}
-AUDIT_PACKAGES?= ${PKGTOOLS_ENV} ${AUDIT_PACKAGES_CMD} ${PKGTOOLS_ARGS}
+#AUDIT_PACKAGES?= ${PKGTOOLS_ENV} ${AUDIT_PACKAGES_CMD} ${PKGTOOLS_ARGS}
# "${PKG_BEST_EXISTS} pkgpattern" prints out the name of the installed
# package that best matches pkgpattern. Use this instead of
Index: bulk/build
===================================================================
RCS file: /cvsroot/pkgsrc/mk/bulk/build,v
retrieving revision 1.82
diff -u -r1.82 build
--- bulk/build 20 Nov 2005 11:18:45 -0000 1.82
+++ bulk/build 22 Nov 2005 08:18:37 -0000
@@ -216,7 +216,7 @@
# Check that the package tools are up to date.
#
( cd "${pkglint_dir}" \
- && ${BMAKE} fetch SKIP_AUDIT_PACKAGES=yes >/dev/null 2>&1
+ && ${BMAKE} fetch >/dev/null 2>&1
) || {
echo "Updating pkgtools"
( cd "${pkgsrc_dir}/pkgtools/pkg_install" \
Index: defaults/mk.conf
===================================================================
RCS file: /cvsroot/pkgsrc/mk/defaults/mk.conf,v
retrieving revision 1.94
diff -u -r1.94 mk.conf
--- defaults/mk.conf 17 Nov 2005 00:28:48 -0000 1.94
+++ defaults/mk.conf 22 Nov 2005 08:18:37 -0000
@@ -22,12 +22,12 @@
# or the word "yes" to allow all. (not recommended)
# Default: not defined
-SKIP_AUDIT_PACKAGES?=no
-# Completely skip running audit-packages to check for vulnerable packages.
-# Specifying individual vulnerabilities with
-# ALLOW_VULNERABILITIES.<pkgname>=<vulnid> is preferred to using this.
+CHECK_VULNERABILITIES?= yes
+# Perform the checks to see if the package is ``vulnerable''. Specifying
+# individual vulnerabilities with ALLOW_VULNERABILITIES.<pkgname> is
+# preferred to setting this to turning off this check.
# Possible: yes, no
-# Default: no
+# Default: yes
MANINSTALL?= maninstall catinstall
# Specify manpage installation types.
Index: defaults/obsolete.mk
===================================================================
RCS file: /cvsroot/pkgsrc/mk/defaults/obsolete.mk,v
retrieving revision 1.16
diff -u -r1.16 obsolete.mk
--- defaults/obsolete.mk 3 Oct 2005 21:25:17 -0000 1.16
+++ defaults/obsolete.mk 22 Nov 2005 08:18:37 -0000
@@ -8,6 +8,20 @@
PKG_SYSCONFDIR.priv?= ${PRIV_CONF_DIR}
.endif
+# SKIP_AUDIT_PACKAGES is a "negative variable", which should no longer be
+# used in pkgsrc. This should be removed after pkgsrc-2005Q4 has been
+# branched.
+#
+.if defined(SKIP_AUDIT_PACKAGES) && !empty(SKIP_AUDIT_PACKAGES:M[yY][eE][sS])
+CHECK_VULNERABILITIES= no
+.endif
+
+# This should be removed after pkgsrc-2006Q1 has been branched.
+.if defined(ALLOW_VULNERABLE_PACKAGES)
+CHECK_VULNERABILITIES= no
+.endif
+
+
###
### Set PKG_LEGACY_OPTIONS based on to-be-deprecated global variables.
###
Index: tools/defaults.mk
===================================================================
RCS file: /cvsroot/pkgsrc/mk/tools/defaults.mk,v
retrieving revision 1.42
diff -u -r1.42 defaults.mk
--- tools/defaults.mk 8 Nov 2005 23:06:38 -0000 1.42
+++ tools/defaults.mk 22 Nov 2005 08:18:37 -0000
@@ -52,6 +52,7 @@
# "TOOL" variable names associated with each of the tools
+_TOOLS_VARNAME.audit-packages= AUDIT_PACKAGES
_TOOLS_VARNAME.awk= AWK
_TOOLS_VARNAME.basename= BASENAME
_TOOLS_VARNAME.bash= BASH
Index: tools/replace.mk
===================================================================
RCS file: /cvsroot/pkgsrc/mk/tools/replace.mk,v
retrieving revision 1.135
diff -u -r1.135 replace.mk
--- tools/replace.mk 8 Nov 2005 23:06:38 -0000 1.135
+++ tools/replace.mk 22 Nov 2005 08:18:38 -0000
@@ -198,6 +198,18 @@
# command, e.g., TOOLS_TBL, TOOLS_YACC, etc., provided that "TOOL" has
# been associated with <tool>.
#
+.if !defined(TOOLS_IGNORE.audit-packages) && !empty(_USE_TOOLS:Maudit-packages)
+. if !empty(PKGPATH:Msecurity/audit-packages)
+MAKEFLAGS+= TOOLS_IGNORE.audit-packages=
+. elif !empty(_TOOLS_USE_PKGSRC.audit-packages:M[yY][eE][sS])
+TOOLS_DEPENDS.audit-packages?= audit-packages>=${_AUDIT_PACKAGES_REQD}:../../security/audit-packages
+TOOLS_CREATE+= audit-packages
+TOOLS_FIND_PREFIX+= TOOLS_PREFIX.audit-packages=audit-packages
+TOOLS_PATH.audit-packages= ${TOOLS_PREFIX.audit-packages}/bin/audit-packages
+TOOLS_ARGS.audit-packages= ${PKGTOOLS_ARGS}
+. endif
+.endif
+
.if !defined(TOOLS_IGNORE.awk) && !empty(_USE_TOOLS:Mawk)
. if !empty(PKGPATH:Mlang/nawk)
MAKEFLAGS+= TOOLS_IGNORE.awk=
--d6Gm4EdcadzBjdND--