In message <Pine.NEB.4.62.0509010822330.17343@pilchuck.reedmedia.net>, "Jeremy 
C. Reed" writes:
>On Thu, 1 Sep 2005, Steven M. Bellovin wrote:
>
>> I'm running audit-packages 1.38, which seems to put the vulnerability
>> list in /usr/pkg/share/pkg-vulnerabilities.  However, 'make' is
>> checking /usr/pkgsrc/distfiles/pkg-vulnerabilities.  I have up-to-date
>> pkgsrc (from the head), up-to-date audit-packages, and up-to-date
>> pkg_install.  Am I doing something wrong, or should I send-pr?
>> (This is on -current from 13 August.)
>
>This is based on the PKGVULNDIR setting. It defaults to ${DISTDIR} (your 
>/usr/pkgsrc/distfiles). I guess your audit-packages was built with 
>PKGVULNDIR set to /usr/pkg/share/.
>
>You can also set PKGVULNDIR in your shell environment and 
>download-vulnerability-list and audit-packages should use it. Or they can 
>be set in your ${PKG_SYSCONFDIR}/audit-packages.conf file.
>
>Look at your audit-packages script to see what is hard-coded in it, check 
>your audit-packages.conf configuration, or see if PKGVULNDIR is defined in 
>environment.
>

I don't recall ever setting it explicitly, but I think the last time 
audit-packages was built it was under pkg_comp, which may have had some 
default. 

Different packages shouldn't have different defaults....

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb