> On 11 Aug 2017, at 23:47, Roger Marquis <marquis at roble.com> wrote: > >> It had been resolved for dovecot (it will now match both variants, since people might still have >> the old variant of the port installed) and there is a new paragraph added to the porters handbook >> which tells that we need to have a look at the vuxml entries. > > Thanks Remko.No problemo :)> >> Hope this solves your issue, > > It may for renamed ports/pkgs but doesn't appear to for deprecations. > Once ports are dropped they do not show up in pkg-audit despite having > been installed via pkg and/or ports. That's the false negative that > appears to still be a problem.Ports / pkgs that get renamed are now changed and/or added in VuXML as well. So the old variant and the new variant of the name?s would both be listed in pkg audit. pkg audit parses VuXML, it also does a check on what is locally registered in it?s database. For example if you have a/b installed. And that has a marking in VuXML : <package>b</package> then it would hit on the package you have. If a/b gets removed for some reason, and it is still in VuXML and you have it locally registered. Then it would be still be matched (or should). If an entry is removed from the ports/pkg tree?s and it is also removed from VuXML, then yes, it will no longer get marked in your local installation. That?s a bit of a chicken and egg basically. Although I do not recall that it ever happened that ports that are no longer there, are removed from VuXML as well. (And I follow that since 2004). Do you have a more concrete example that we can dive into to see what is going on/going wrong? Cheers Remko> > Roger-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: Message signed with OpenPGP URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20170811/545b0214/attachment.sig>
On Fri, 11 Aug 2017, Remko Lodder wrote:> If an entry is removed from the ports/pkg tree?s and it is also removed > from VuXML, then yes, it will no longer get marked in your local > installation. That?s a bit of a chicken and egg basically. Although I do > not recall that it ever happened that ports that are no longer there, are > removed from VuXML as well. (And I follow that since 2004). > > Do you have a more concrete example that we can dive into to see what is > going on/going wrong?Should be able to find missing vulxml entries for most anything that has been deprecated from the ports tree but most of the ones I've seen are for web programming languages, particularly php. For example when php5X was dropped it also disappeared from vulxml, with no small number of servers still using it. If those sites depended on pkg-audit to tell them they had a vulnerability, well, they were out of luck. There was no warning, no error, no disclaimer, pkg-audit did and still does nothing different than it would for a non-vulnerable port or package. There may be more vulnerabilities in the wild from non-packaged base as it is larger but at least people are working on that. Pkg-audit tracking of installed but deprecated ports OTOH, seems to have fallen through the cracks. Even the FreeBSD Foundation and the ports-security teams appear to be ignoring this issue. Roger Marquis