It's bugged me for a while that the switch to turn off vulnerablity
checking when building packages is a all-or-nothing switch.  i.e.
	ALLOW_VULNERABLE_PACAKGES=yes
skips checks for everything.  I changed bsd.pkg.mk so I can do things
like this instead:
	ALLOW_VULNERABLE_PACKAGES+=sun-jdk15-5.0.5
etc...

Then, it occured to me that just because I ignore one particular
vulnerability I might still care about a new one that is discovered later.
So, in addition to the above I thought something like this might be workable:

	ALLOW_VULNERABLE_PACKAGES+=vulnid:1234

Where the "vulerability id" is the index of the vulnerability in the
pkg-vulnerabilities file.  (i.e. line number, but not counting comment lines)
However, that seems somewhat fragile so I was thinking of changing the
format of the file so it looks like this:
<pkg pattern>   <vulnid>,<type>   <url>
e.g.:
libungif<4.1.3nb3   1520,remote-code-execution   http://secunia.com/advisories/17436/

and bumping the format version to 1.0.1.  (not 1.1, since it's still compatible
with old audit-packages script)
Then, since it's nice not to duplicate code, I combined it all into the
audit-packages script and had the package makefiles call that instead.

Patch is available at http://poe.swapsimple.com/pkgsrc_audit/

Thoughts?

eric