If memory serves me right, Kris Kennaway wrote:
Couple o' random thoughts, don't have time to look into this myself...
> This could be done as an extension to pkg_version, since much of the
> code you will need to manage versions is already there, and it's a
> logical extension of that program's function.
Or you can use pkg_version's -t flag to help with the comparisons if
you think running as a separate script is better.
> NetBSD have a port called audit-packages which does something similar,
> but not quite the same as the above (last I checked) -- it might still
> be useful as a starting point.
Think about where to put the parsed set of vulnerable packages. It
might live under /usr/ports or reside somewhere on the network. Use
fetch(1) to grab it from there, like pkg_version does for the INDEX
file.
Bruce.
PS. Jeff Kletsky, sorry I haven't looked at your dependency graphing
tool...I'm mildly thrashing right now. Sounds pretty neat though!
PGP signature
