Re: help with IGNORE_URL

["Steven M. Bellovin" <smb%cs.columbia.edu@localhost>]

On Sat, 18 Jul 2009 22:54:28 +0200
Joerg Sonnenberger <joerg%britannica.bec.de@localhost> wrote:

> On Fri, Jul 17, 2009 at 11:25:25PM -0400, Steven M. Bellovin wrote:
> > in /etc/pkg_install.conf; when I check it via
> > 
> >     # pkg_admin config-var IGNORE_URL
> >     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1889
> >     some-other-advisory
> 
> A better check would be "pkg_admin audit-pkg pidgin-2.5.7", just as
> reference.

Good point.
> 
> > I get what seems to be the right answer.  Nevertheless, when I try
> > to build it the system complains about the vulnerability:
> 
> Do you have pkg_install installed from pkgsrc? That would use
> ${PREFIX}/etc/pkg_install.conf.
> 
That was it, but it raises two more questions.

First -- why did pkg_admin find the copy in /etc, when 'make' did not?
Before I created the file, I actually checked the man page, which
specified /etc; I then ran pkg_admin to double-check.  Let me amend
that: I know why, in the sense that /usr/sbin/pkg_admin is found first
via my $PATH.  But why isn't the tool in pkgsrc using $PATH as well?

Second -- this distinction looks troublesome down the road.  Normally,
I don't install pkg_install from pkgsrc; presumably, that means that
the copy in /etc would be checked.  But sometimes, pkgsrc itself is
updated enough that 'make' fails until I update my package tools -- at
which point everything is going to look for a different copy.  Or am I
missing something?

                --Steve Bellovin, http://www.cs.columbia.edu/~smb