pkg/28230: bsd.pkg.mk ignores /etc/audit-packages.conf

[Hauke Fath <hauke%Espresso.Rhein-Neckar.DE@localhost>]

>Number:         28230
>Category:       pkg
>Synopsis:       bsd.pkg.mk ignores /etc/audit-packages.conf
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Nov 11 21:43:00 +0000 2004
>Originator:     Hauke Fath <hauke%Espresso.Rhein-Neckar.DE@localhost>
>Release:        NetBSD 2.0_RC4
>Organization:
Falling Raindrops
>Environment:
        
        
System: NetBSD pizza.causeuse.org 2.0_RC4 NetBSD 2.0_RC4 (PIZZA) #16: Wed Oct 
20 00:51:42 CEST 2004 
hauke%pizza.causeuse.org@localhost:/var/obj/netbsd-builds/2_0/sparc/obj/sys/arch/sparc/compile/PIZZA
 sparc
Architecture: sparc
Machine: sparc
>Description:

        security/audit-packages sources /etc/audit-packages.conf where
        you can provide an alternate location for the
        download-vulnerability-list file. Unfortunately, mk/bsd.pkg.mk
        does not know about this preference file, and complains
        loudly:

===> *** No /usr/src/pkgsrc/distfiles/pkg-vulnerabilities file found,
===> *** skipping vulnerability checks. To fix, install
===> *** the pkgsrc/security/audit-packages package and run
===> *** '/usr/pkg/sbin/download-vulnerability-list'.

>How-To-Repeat:

        Set PKGVULNDIR in /etc/audit-packages.conf to a non-default
        location, schedule a nightly download-vulnerability-list run
        and be surprised about the warning that appears during each
        and every package build. Find that bsd.pkg.mk looks at the 
        PKGVULNDIR variable but does not bother with
        /etc/audit-packages.conf.

>Fix:

        Teach mk/bsd.pkg.mk to look at /etc/audit-packages.conf.
>Unformatted: