Date: Sun, 28 Sep 2008 13:15:01 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> To: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Cc: freebsd-hackers@freebsd.org, Roman Kurakin <rik@inse.ru>, bug-followup@freebsd.org, freebsd-ports@freebsd.org Subject: Re: ports/126853: ports-mgmt/portaudit: speed up audit of installed packages Message-ID: <48DF6735.4030906@quip.cz> In-Reply-To: <o/JeKQBFxyWYOEj%2BysAVRhQK6g8@iXA9ZWPrtc2I2BMzBXoToMd7YdQ> References: <WGReTVL6CLts/44OKi4qLEsAGHs@jm/Q2DKg1djxmpGNf45V%2BWpjPIE> <48DE5CC0.9000708@localhost.inse.ru> <o/JeKQBFxyWYOEj%2BysAVRhQK6g8@iXA9ZWPrtc2I2BMzBXoToMd7YdQ>
next in thread | previous in thread | raw e-mail | index | archive | help
Eygene Ryabinkin wrote: > Roman, good day. > > Sat, Sep 27, 2008 at 08:18:08PM +0400, Roman Kurakin wrote: > >>Have you also posted this to ports@? > > > No, forgot to do it. CC'ing ports@ > > Thanks! > > The original posting to hackers@ goes below. It will be double-posted > to the bug-followup@ -- sorry for this. > > >>Eygene Ryabinkin wrote: >> >>>Good day. >>> >>>A while ago I had created the new utility that serves as VuXML >>>filter for the installed packages: >>> http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/126853 >>> >>>My primary intention was to speed up the process of auditing the >>>vulnerable ports: I needed to run portaudit checks with Nagios and to >>>avoid large timeouts. >>> >>>The new utility is called pkg_audit and it serves as a simple text >>>filter: on input it takes the full VuXML feed and on output it puts >>>VuXML entries that matches ports that are installed in the system with >>>port version specification substituted with the actual port versions. >>> >>>No harm is done to the actual poartudit -- if pkg_audit is missing, old >>>code path is activated. >>> >>>If someone is interested and will be able to test -- I am all ears. > > > Additional clarifications inspired by the off-line talk with rik@: > I could take another route and add this functionality to the pkg_info. > I took another approach for the following reasons. > > 1. pkg_info's option list is already quite big -- around 32 options > and switches. > > 2. It is easier to test for the presence of the new tool (pkg_audit) > and use it, instead of checking the support for the new option in > pkg_info. > > 3. I see no options in pkg_info that can be naturally extended to > absorbe the new functionality. The closest is '-E', but pkg_audit > needs to read VuXML entries, choose ones that are present in the system > and output the found VuXML entries with version templates substituted > with the real entries, so pkg_audit is filter-like utility. In my > opinion, such extension of pkg_info's "-E" will be very unnatural. > > 4. I feel that it is Unix-way to do the things: create small utilities > that do their (small) job in a proper fashion. Moreover, since the > majority of a code sits in the pkg_install's library, there is a very > slight code duplication, if any. Is there any possibility to cooperate portaudit / pkg_audit with pkg_version to show vulnerable package with information if newer (not vulnerable) package (or port) version is available for upgrade to? If I read nightly security e-mail with for example 4 vulnerable packages, then I need to log in to server and manualy try, if newer (fixed) packages are available. It seems not so hard to check output of `pkg_version -vIL =` and compare both versions (installed and available) with portaudit in some shellscript, I didn't start to write it yet ;). Miroslav Lachman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48DF6735.4030906>