Re: audit-packages/download-vulnerability-list integration?

[Sarton O'Brien <bsd-xen%roguewrt.org@localhost>]

On Mon, 14 Jul 2008 03:04:18 pm Bernd Ernesti wrote:
> On Mon, Jul 14, 2008 at 02:24:23AM +0200, Hubert Feyrer wrote:
> > 
> > Looking at -current: Now that audit-packages and 
> > download-vulnerability-list are part of the base system, I think it would 
> > be nice to offer hooks to run them nightly, e.g. via daily.conf(5) or 
> > security.conf(5). I haven't seen any references there, though - can this 
> > be added, is it intended that users add manual cronjobs, or what's the 
> > idea here?
> 
> This seems to be a topic for current-users, since you are talking about
> the base system.
> IMHO they should not be activated by default, if they will be added.
> 
> Packages are optional and so it shouldn't run automatically since it
> requires an up to date vulnerability file and doing that is not a good
> idea. Think about systems which are not allowed to be modified or
> what if every new installation connects to a server for getting it at
> the same time. Or what if such systems have no packagea at all installed.

Since they moved to the base system I've also noticed you now have to run 
download-vulnerability-list on each server instance whereas in the past, 
mounting pkgsrc via nfs and running it on one system was sufficient.

Some configuration options regarding the base facilities may be useful, like 
db location in this instance ... but could be extended I'm sure.

If they all point to the same db, update frequency becomes less of a problem. 
This is obviously limited to an nfs scenario but the option would be useful, 
assuming I haven't glossed over the option already.

Sarton