Subject: Re: pkg/28230: bsd.pkg.mk ignores /etc/audit-packages.conf
To: None <agc@netbsd.org, gnats-admin@netbsd.org, pkgsrc-bugs@netbsd.org>
From: Hauke Fath <hauke@Espresso.Rhein-Neckar.DE>
List: pkgsrc-bugs
Date: 04/06/2005 22:56:01
The following reply was made to PR pkg/28230; it has been noted by GNATS.

From: Hauke Fath <hauke@Espresso.Rhein-Neckar.DE>
To: Alistair Crooks <agc@pkgsrc.org>
Cc: Hauke Fath <hauke@Espresso.Rhein-Neckar.DE>,
	"Julio M. Merino Vidal" <jmmv@menta.net>, gnats-bugs@netbsd.org
Subject: Re: pkg/28230: bsd.pkg.mk ignores /etc/audit-packages.conf
Date: Thu, 7 Apr 2005 00:52:44 +0200

 At 21:14 Uhr +0000 23.3.2005, Alistair Crooks wrote:
 >On Wed, Nov 17, 2004 at 08:15:40PM +0100, Hauke Fath wrote:
 >> Julio M. Merino Vidal wrote
 >>
 >> [Note that I saw this only by chance / because of the duplicate of this
 >> bug; you left me off the Cc: list.]
 >>
 >> > How does the patch below look?  (I've put the chunk of code just
 >>before the
 >> > check-vulnerable target, but I'm not sure that's the best place...)
 >> [...]
 >>
 >> Works for me (although I must admit it looks a bit clumsy to me).
 >
 >Thanks to Julio - I wonder if the attached patch is any more
 >aesthetically pleasing?
 >
 >Works for me, although my setup is depressingly standard.
 
 Alistair,
 
 sorry for being late with my comment - I've been distracted somewhat...
 
 Testing what you committed now, I found that the do-fetch target needs
 $PKGVULNDIR set up, too. Otherwise it will look at the pkg-vulnerabilities
 default location, complain and not make check-vulnerable. The following
 patch does that, duplicating your additions to the check-vulnerable target:
 
 Index: bsd.pkg.mk
 ===================================================================
 RCS file: /cvsroot/pkgsrc/mk/bsd.pkg.mk,v
 retrieving revision 1.1608
 diff -u -u -r1.1608 bsd.pkg.mk
 --- bsd.pkg.mk	5 Apr 2005 14:00:33 -0000	1.1608
 +++ bsd.pkg.mk	6 Apr 2005 22:31:17 -0000
 @@ -1422,15 +1422,20 @@
  do-fetch:
  .  if !defined(ALLOW_VULNERABLE_PACKAGES)
  	${_PKG_SILENT}${_PKG_DEBUG}					\
 -	if [ -f ${PKGVULNDIR}/pkg-vulnerabilities ]; then		\
 +	if [ ! -z "${PKG_SYSCONFDIR.audit-packages}" -a -f
 ${PKG_SYSCONFDIR.audit-packages}/audit-packages.conf ]; then \
 +		. ${PKG_SYSCONFDIR.audit-packages}/audit-packages.conf; \
 +	elif [ ! -z "${PKG_SYSCONFDIR}" -a -f
 ${PKG_SYSCONFDIR}/audit-packages.conf ]; then \
 +		. ${PKG_SYSCONFDIR}/audit-packages.conf;		\
 +	fi;								\
 +	if [ -f $${PKGVULNDIR}/pkg-vulnerabilities ]; then		\
  		${ECHO_MSG} "${_PKGSRC_IN}> Checking for vulnerabilities in
 ${PKGNAME}"; \
  		vul=`${MAKE} ${MAKEFLAGS} check-vulnerable`;		\
  		case "$$vul" in						\
 
 
 -- OTOH, since it looks like nothing but do-fetch uses check-vulnerable,
 would it make sense to move the code to do-fetch and avoid the code
 duplication? Alternatively, we could move all of theshell code concerned
 with vulnerability checking to check-vulnerable.
 
 I'd be happy to test both options and provide patches.
 
 	hauke
 
 --
 /~\  The ASCII Ribbon Campaign
 \ /    No HTML/RTF in email
  X     No Word docs in email
 / \  Respect for open standards