Subject: adding check for binary packages to audit-packages
To: None <tech-pkg@netbsd.org>
From: Jeremy C. Reed <reed@reedmedia.net>
List: tech-pkg
Date: 05/11/2005 16:00:43
I needed a quick way to list which of my binary packages had
vulnerabilities. lintpkgsrc is way too slow! My quick solution follows.
I changed my audit-packages to have at the end:
# if /usr/sbin/pkg_info -qe "$pat"; then
# echo Package `/usr/sbin/pkg_info -e "$pat"` has a \
# $type vulnerability, see $url
# fi
found=`/usr/sbin/pkg_admin -d $PKGREPOSITORY lsall "$pat"`
if [ -n "$found" ] ; then
echo $found | tr ' ' '
' | while read line ; do
echo Package $line has a \
$type vulnerability, see $url
done
fi
Where PKGREPOSITORY is like /home/packages/Linux/2.6.x/i386/All/ or
/usr/pkgsrc/packages/All for example.
The same routine above can check installed packages too by adding the
pkg_admin -S switch and using PKGREPOSITORY of /var/db/pkg/ for example.
Any suggestions if audit-packages should add a switch to enable binary
package checks versus installed packages?
Also, maybe this should have an option to just output just the vulnerable
package names (with versions of course) without the extra information. (I
could always use cut to extract later if needed though instead.)
I carbon-copied Havard to see if he had any suggestions since he has a
script that does similar.
Jeremy C. Reed
technical support & remote administration
http://www.pugetsoundtechnology.com/
p.s. Some related thoughts:
I'd like to suggest that the default PKGVULNDIR is somewhere that is on
all systems using NetBSD packages, such as ${PKG_DBDIR} (like
/var/db/pkg-vulnerabilities).
The code for figuring out the fetch command and that complaint of unknown
fetch command probably should be done at pkgsrc build time of the package
and not needed in the end result script. Anyone want to improve that?
And maybe provide some way to have multiple pkg-vulnerabilities files. Any
thoughts on that? For example, if you use or offer pkgsrc packages not
included in official NetBSD pkgsrc.