Hi, today there was a new entry added to the vuxml file including all outdated ports. Where is the value in this Entry. The Information is already in the fact that the port has been removed. In this file should only are real vulnerabilities and not maybe vulnerable not existing ports. Right now this breaks my system to find vulnerable ports on my systems because all systems with legacy code show up with this entry. Please only add real vulnerabilities to this file. Maybe pkg audit should be print a warning (suppressible by a commandline switch or a whiltelist in the config file) when discontinued ports are installed. Putting all well known discontinued ports in a vuxml entry isn't a clean way to do it and creates a falls impression of security because all the not so well known discontinued ports are not in this list and users might depend on this warning. Regards Estartu -- ---------------------------------------------------------- Gerhard Schmidt | E-Mail: schmidt at ze.tum.de Technische Universit?t M?nchen | Jabber: estartu at ze.tum.de WWW & Online Services | Tel: +49 89 289-25270 | PGP-PublicKey Fax: +49 89 289-25257 | on request -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 847 bytes Desc: OpenPGP digital signature URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20160822/f1dfb4dc/attachment.sig>
> today there was a new entry added to the vuxml file including all > outdated ports. Where is the value in this Entry.This is good news for many of us Gerhard, who depend on the output of 'pkg audit' for vulnerability information.> In this file should only are real vulnerabilities and not maybe > vulnerable not existing ports.You raise two issues here, A) what constitutes a 'real' vulnerability and B) how else would you be warned of probable vulnerabilities (due to unmaintained and unaudited code). There is 'pkg version' of course but few sites use this flag and fewer still use it for vulnerability information.> Right now this breaks my system to find vulnerable ports on my systems > because all systems with legacy code show up with this entry.Can you post details of how it breaks your system?> Maybe pkg audit should be print a warning (suppressible by a commandline > switch or a whiltelist in the config file) when discontinued ports are > installed.A command line switch to ignore deprecated, discontinued and otherwise unadited ports is an excellent idea though I don't think there will be much demand for it. A default 'warn if deprecated' will no doubt be the modal usage and benefit the larger community (who have until now been mislead by the output of 'pkg audit'). Thanks for the heads-up. Roger