Alistair Crooks wrote:
> I took smb's suggestion, and added a check in for a metacharacter in the
> "skip" case, which makes things a lot faster for me, and restores the
> previous behaviour of only running a pkg_admin check if the PKGBASE is
> the vulnerable pattern, or if there's a metacharacter in the pattern.
> 
> Further testing is needed - hence this mail.

I like your patch, too, especially because it is so much shorter than 
mine. But it is also a bit slower, because it still calls pkg_admin 57 
times instead of only one time:

   $ cd /usr/pkgsrc/pkgtools/pkglint
   $ make check-vulnerable PKG_ADMIN=true | grep WARNING | wc -l
       57

Your patch restricts us a bit on the valid PKGBASE names to not use any 
regexp metacharacters. We already have packages that contain regexp 
metacharacters:

   $ cd /usr/pkgsrc
   $ ls -d */*/ | grep -Eiv '^[-a-z0-9]+/[-_a-z0-9]+/$'

Also we must agree that every pattern in pkg-vulnerabilities contains 
the complete PKGBASE as a substring, which is not required by now. So if 
you commit your patch, please update the documentation in the 
pkg-vulnerabilities file.

Roland