Eygene Ryabinkin wrote:
Roman, good day.
Sat, Sep 27, 2008 at 08:18:08PM +0400, Roman Kurakin wrote:
Have you also posted this to [EMAIL PROTECTED]
No, forgot to do it. CC'ing ports@
Thanks!
The original posting to hackers@ goes below. It will be double-posted
to the bug-followup@ -- sorry for this.
Eygene Ryabinkin wrote:
Good day.
A while ago I had created the new utility that serves as VuXML
filter for the installed packages:
http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/126853
My primary intention was to speed up the process of auditing the
vulnerable ports: I needed to run portaudit checks with Nagios and to
avoid large timeouts.
The new utility is called pkg_audit and it serves as a simple text
filter: on input it takes the full VuXML feed and on output it puts
VuXML entries that matches ports that are installed in the system with
port version specification substituted with the actual port versions.
No harm is done to the actual poartudit -- if pkg_audit is missing, old
code path is activated.
If someone is interested and will be able to test -- I am all ears.
Additional clarifications inspired by the off-line talk with rik@:
I could take another route and add this functionality to the pkg_info.
I took another approach for the following reasons.
1. pkg_info's option list is already quite big -- around 32 options
and switches.
2. It is easier to test for the presence of the new tool (pkg_audit)
and use it, instead of checking the support for the new option in
pkg_info.
3. I see no options in pkg_info that can be naturally extended to
absorbe the new functionality. The closest is '-E', but pkg_audit
needs to read VuXML entries, choose ones that are present in the system
and output the found VuXML entries with version templates substituted
with the real entries, so pkg_audit is filter-like utility. In my
opinion, such extension of pkg_info's "-E" will be very unnatural.
4. I feel that it is Unix-way to do the things: create small utilities
that do their (small) job in a proper fashion. Moreover, since the
majority of a code sits in the pkg_install's library, there is a very
slight code duplication, if any.
Is there any possibility to cooperate portaudit / pkg_audit with
pkg_version to show vulnerable package with information if newer (not
vulnerable) package (or port) version is available for upgrade to?
If I read nightly security e-mail with for example 4 vulnerable
packages, then I need to log in to server and manualy try, if newer
(fixed) packages are available. It seems not so hard to check output of
`pkg_version -vIL =` and compare both versions (installed and available)
with portaudit in some shellscript, I didn't start to write it yet ;).
Miroslav Lachman
_______________________________________________
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
