Subject: Re: vulnerabilities not being checked at package compile time
To: Steven M. Bellovin <smb@cs.columbia.edu>
From: Jeremy C. Reed <reed@reedmedia.net>
List: tech-pkg
Date: 09/01/2005 08:27:51
On Thu, 1 Sep 2005, Steven M. Bellovin wrote:
> I'm running audit-packages 1.38, which seems to put the vulnerability
> list in /usr/pkg/share/pkg-vulnerabilities. However, 'make' is
> checking /usr/pkgsrc/distfiles/pkg-vulnerabilities. I have up-to-date
> pkgsrc (from the head), up-to-date audit-packages, and up-to-date
> pkg_install. Am I doing something wrong, or should I send-pr?
> (This is on -current from 13 August.)
This is based on the PKGVULNDIR setting. It defaults to ${DISTDIR} (your
/usr/pkgsrc/distfiles). I guess your audit-packages was built with
PKGVULNDIR set to /usr/pkg/share/.
You can also set PKGVULNDIR in your shell environment and
download-vulnerability-list and audit-packages should use it. Or they can
be set in your ${PKG_SYSCONFDIR}/audit-packages.conf file.
Look at your audit-packages script to see what is hard-coded in it, check
your audit-packages.conf configuration, or see if PKGVULNDIR is defined in
environment.
Jeremy C. Reed
Low cost press releases
http://www.reedmedia.net/