Two things happened that broke some of my scripts.  I realize these were
probably never declared as part of the interface contract, but they both
surprised me.

1) download-vulnerability-list fails as a non-root user; it used to work
if one could write /usr/pkgsrc/distfiles.  While it's good to avoid
/usr/pkgsrc, since audit-packages should work on systems without source,
it seems unfortunate to require root.  It would see that
/usr/pkg/share/vulnerabilities (a directory) would be a good place, so
that people could arrange to chmod it as they wish.  Right now one
really can't, and this issue is the only thing preventing
straightforward download-vulnerability-list/audit-packages runs as
non-root users.

2) audit-packages writes to standard error.  It used to write to
standard output (as I think it should), and it's documented to write to
standard output.  I suspect this is just a bug.

As an aside, I have been feeling that /var/db/pkg isn't an appropriate
place for the package database anyway - I'd like to see it under
/usr/pkg.