netbsd-bugs: pkg/11463: audit-packages too strict about old vulnerability list

Subject: pkg/11463: audit-packages too strict about old vulnerability list
To: None <gnats-bugs@gnats.netbsd.org>
From: None <itojun@itojun.org>
List: netbsd-bugs
Date: 11/10/2000 00:56:10

>Number:         11463
>Category:       pkg
>Synopsis:       audit-packages too strict about old vulnerability list
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Nov 10 00:56:00 PST 2000
>Closed-Date:
>Last-Modified:
>Originator:     Jun-ichiro itojun Hagino
>Release:        <NetBSD-current source date>
>Organization:
	itojun.org
>Environment:
System: NetBSD starfruit.itojun.org 1.5J NetBSD 1.5J (STARFRUIT) #270: Fri Nov 10 11:07:50 JST 2000 itojun@starfruit.itojun.org:/usr/home/itojun/NetBSD/src/sys/arch/i386/compile/STARFRUIT i386


>Description:
	audit-packages from audit-packages-1.2 is too strict about old
	vulnerability list file.  for example, the last update for the package
	vulnerability list is october 27.
>How-To-Repeat:
>Fix:
	1. do not check for timestamp.
	2. warn about old timestamp, and continue on (do not die).
	3. do not preserve timestamp on download-vulnerability-list.
>Release-Note:
>Audit-Trail:
>Unformatted:
 >-rw-r--r--  1 itojun  wheel  2142 Oct 27 01:48 vulnerabilities
 	download-vulnerability-list tries to preserve the original timestamp,
 	so you will always get the file with October 27 timestamp.
 
 	now, today is nov10, and as audit-packages will die if vulnerabilities
 	list is more than 7 days old, i can never check for package
 	vulnerability.