Subject: Re: pkg-vulnerabilities error message
To: Perry E. Metzger <perry@piermont.com>
From: Martin Weber <Ephaeton@gmx.net>
List: tech-pkg
Date: 12/30/2003 00:21:44
On Mon, Dec 29, 2003 at 11:58:02AM -0500, Perry E. Metzger wrote:
> 
> Michal Pasternak <michal@pasternak.w.lub.pl> writes:
> > Perry E. Metzger [Mon, Dec 29, 2003 at 11:20:41AM -0500]:
> >> We really either need to remove that message, or add a job that
> >> automatically tweaks the vulnerability list if it hasn't been touched
> >> in a few days. Getting this message spuriously is a serious pain in
> >> the neck -- we should not generate errors if all is well.
> >
> > And how do you know if it is really all well?
> 
> If you can download the file without any trouble, then you should not
> be screaming. At worst, an alarm should be screaming for the pkgsrc
> maintainers, not for each of the tens of thousands of users.

...

221-
    Data traffic for this session was 40312 bytes in 1 file.
		Total traffic for this session was 44634 bytes in 1 transfer.
		221 Thank you for using the FTP service on ftp.NetBSD.org.
		No change from existing package vulnerabilities file

...

This implies a successful attempt of the system administrator (or
cron) to fetch the vulnerabilities file. If you patch 
download-vulnerability-list like this ...

================================================================================
Index: Makefile
===================================================================
RCS file: /pub/NetBSD-CVS/pkgsrc/security/audit-packages/Makefile,v
retrieving revision 1.38
diff -u -r1.38 Makefile
--- Makefile	2003/12/12 21:40:32	1.38
+++ Makefile	2003/12/29 23:21:11
@@ -37,6 +37,7 @@
 			-e 's|@CHMOD@|${CHMOD}|g'			\
 			-e 's|@MV@|${MV}|g'				\
 			-e 's|@RM@|${RM}|g'				\
+			-e 's|@TOUCH@|${TOUCH}|g'			\
 			-e 's|@MKDIR@|${MKDIR}|g'			\
 			-e 's|@PKG_SYSCONFDIR@|${PKG_SYSCONFDIR}|g'	\
 			${FILESDIR}/$$f > ${WRKSRC}/$$f;		\
Index: files/download-vulnerability-list
===================================================================
RCS file: /pub/NetBSD-CVS/pkgsrc/security/audit-packages/files/download-vulnerability-list,v
retrieving revision 1.22
diff -u -r1.22 download-vulnerability-list
--- files/download-vulnerability-list	2003/12/03 04:58:01	1.22
+++ files/download-vulnerability-list	2003/12/29 23:21:11
@@ -105,6 +105,7 @@
 else
 	echo "No change from existing package vulnerabilities file"
 	@RM@ -f ${NEW_VUL_LIST}
+	@TOUCH@ ${EXIST_VUL_LIST}
 fi
 
 exit 0
================================================================================

... it would prevent triggering this message. Yes, it didn't change,
but yes, we also did fetch the file successfully.

Regards,

-Martin