Like many others, I run audit-packages to learn what I need to update.  
When I get hits, I do a 'cvs update' and try to build.  Normally, that 
takes at least several days, with the added load on the CVS servers.  
It would be nice if there was a single file, updated daily, that had 
the version string for each package.  I could then write a script that 
would pull down the version strings for every insecure package I have, 
and check those strings against the vulnerabilities file.

Is this feasible?  I don't see any target that would produce the 
version string that we need.

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb