Re: HEADS UP: security/audit-packages removal

To: Hisashi T Fujinaka <htodd%twofifty.com@localhost>
Subject: Re: HEADS UP: security/audit-packages removal
From: Adrian Portelli <adrianp%stindustries.net@localhost>
Date: Mon, 07 Jan 2008 23:33:47 +0000

Hisashi T Fujinaka wrote:
...
> I'm unclear on the whole thing. On my -current system, audit-packages
> does nothing. Well, it does something but doesn't indicate anything.
> What am I supposed to be doing to check my packages on -current?

Have a look at the MESSAGE from pkgsrc/pkgtools/pkg_install and see if
that answers any of your questions.  I'd point you to other sources on
www.netbsd.org but I've just realised they are not fully up to date :<
 I'll get on to updating them ASAP, but basically you:

* Run download-vulnerability-list from cron to get the updated list of
vulnerable packages (a.k.a pkg-vulnerabilities)
* Run audit-packages from cron to scan for installed vulnerable packages

Also, if you install a package, and the pkgsrc infrastructure detects
you have the pkg-vulnerabilities file, it will warn you if the package
you are trying to install has any known security issues.

> 
> I'm also sane and run "stable" versions of netbsd on several
> "production" servers rather than -current. What do I use instead of
> audit-packages?

As I mentioned in my initial email all the functionality in
security/audit-packages is now in pkg_install.  Just make sure you have
a recent pkg_install package (i.e. post 20070714) and you will have all
the tools at your disposal.

> 
> Apparently something changed and I missed the notification, or perhaps
> it was all decided on netbsd-core and the regular folks have no idea
> what's going on. (Yes, this is yet another ignored complaint about
> netbsd-core's opacity.)
> 

The only real change that's gone on here is that security/audit-packages
has been replaced by tools in pkgtools/pkg_install.  With that
replacement has come extra functionality and improved performance.  So
basically is a case of "same job, different tools".  Nothing has been
hidden here and there are multiple emails to public lists and
announcements that detail this [1].  Also, all the tools have associated
man pages.

regards,

adrian.

[1]
http://mail-index.netbsd.org/tech-userlevel/2007/02/22/0003.html
http://mail-index.netbsd.org/tech-pkg/2007/05/25/0001.html
http://mail-index.netbsd.org/tech-pkg/2007/10/15/0008.html

Follow-Ups:
- Re: HEADS UP: security/audit-packages removal
  - From: Hisashi T Fujinaka

References:
- HEADS UP: security/audit-packages removal
  - From: Adrian Portelli
- Re: HEADS UP: security/audit-packages removal
  - From: Greg Troxel
- Re: HEADS UP: security/audit-packages removal
  - From: Adrian Portelli
- Re: HEADS UP: security/audit-packages removal
  - From: Hisashi T Fujinaka

Prev by Date: Re: maxima 5.14.0
Next by Date: Re: HEADS UP: security/audit-packages removal
Previous by Thread: Re: HEADS UP: security/audit-packages removal
Next by Thread: Re: HEADS UP: security/audit-packages removal
Indexes:

Home | Main Index | Thread Index | Old Index