In message <20020829201450.GM5219@deathmitten.example.org>, John Franklin=
 write
s:
>On Thu, Aug 29, 2002 at 10:06:32PM +0200, Manuel Bouyer wrote:
>> On Thu, Aug 29, 2002 at 04:01:07PM -0400, John Franklin wrote:
>> > network sources.)  Similarly, does pkg_add take advantage of
>> > audit-packages if present?  Say, you install a package from a CDROM
>> > that's old and has a security advisory on it.  Pkg-add could allow i=
t to
>> > proceed (user selectable), but inform the user of the advisory via
>> > audit-packages.
>> =

>> It's much, much better to run audit-packages from cron. Because the pa=
ckage
>> isn't marked as vulnerable at pkg_add time doesn't mean it won't be a =
few
>> days later.
>
>I meant in addition to having it run via cron.  The CDROM you've
>installed said binary package from may be many months old.  The
>audit-packages db is less than 24hrs old.
>

As I said, pkg_add does this (for source packages, at least), by =

consulting the same file that audit-packages uses.  Of course, that =

assumes that you have a current copy of that file.,

		--Steve Bellovin, http://www.research.att.com/~smb (me)
		http://www.wilyhacker.com ("Firewalls" book)