In message <Pine.NEB.4.62.0601251059200.668@pilchuck.reedmedia.net>, "Jeremy C.
 Reed" writes:
>On Wed, 25 Jan 2006, Steven M. Bellovin wrote:
>
>> >Is this what you mean?
>> >
>> > pkg_info -Q PKGPATH -a | while read p ; do cd $p && bmake show-var \
>> >   VARNAME=PKGNAME ; cd ${OLDPWD} ; done
>> 
>> No -- that works on what I have on my system.  I want something that's 
>> run on a NetBSD server, doing that for all possible packages.  That 
>> way, I can pull down one file and see if I should upgrade any of my 
>> insecure packages.  I'm trying to avoid everyone wanting to do
>> 'cvs update' every day via cron.
>
>Is this because the pkg-vulnerabilities (audit-packages) might list 
>packages that do not really have updates yet?

Precisely.  Right now, my laptop claims to have 6 vulnerable packages.  
All of the vulnerabilities have been present for several days at least; 
three have been present for months.

>
>Or you are interested in knowing about any updates, and not just security 
>updates. And it could also be used simply to show what is now available.

That would be nice but not as important, though it would speed up
'lintpkgsrc -i'.
>
>Hosting that list on some official server seems fine. I don't know if 
>NetBSD web or ftp server has up-to-date pkgsrc to build the list from 
>daily. But if so, that would be easy to do.
>
>I wonder if parsing doc/CHANGES could be used too.
>
Maybe, though parsing doesn't work well if there isn't a 
rigidly-defined format.

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb