ports vulnerabilities

Kevin D. Kinsey, DaleCo, S.P. kdk at daleco.biz
Thu Nov 18 18:27:31 UTC 2004


Dan Mahoney, System Admin wrote:

> I had heard a bit about the new "vulnerability check" in
> FreeBSD's ports. I tried reading /usr/ports/updating and saw something 
> like:
>
>
>  Description: A new vulnerabilities database has been added to the
>  ports system in order to keep more accurate, up-to-date, track of
>  security vulnerabilities.  The ports system now knows how to query
>  that database and dynamically prevents the installation of vulnerable
>  ports.
>
> I had to do some more digging around on various googles to find out
> that in order to USE this ability, I had to install the portaudit port. 
> This seems like a useful feature, but I'm curious: Why isn't this in 
> the base system?


I can't answer that, as I'm nobody special.  The functionality
is rather new, and I'm assuming that either they wanted more
"modularity" in keeping with some other recent trends, or else
they plan to put it in base but haven't yet, or, quite possibly,
it's not yet the Best Thing(tm) to do for some reason that seems
unclear to me (and maybe to you as well...)

>
> I tried to install a port which had a conflict (ImageMagick)
> but I didn't feel the vulnerability was significant enough to
> warrant waiting for a new port to be created.  I looked in
> the ports man page for an override environment variable,
> but "vulnerability check" isn't even mentioned there. 
> Could this please get stuck into the manpages?
>
> -Dan Mahoney


I'm cc-ing to doc@ ... we'll see if anyone wants to comment.
[ Umm, yeah ... they're great guys, but busy.  We'll see....]

You might also check with ports@ ... or just file a PR and
see what comes of it.

It'l also quite possible that spending some time in the ports@
list archives might turn up some of the info your're looking
for....

Also, what manpage would you *expect* to see this information
in?  You mention ports(7), but someone already thinks "this
manpage is too long" ;-)

Let discussion begin?

Kevin Kinsey
DaleCo, S.P.



More information about the freebsd-doc mailing list