Subject: audit-packages is not capable of dealing with the likes of BIND-9 vs. BIND-8
To: NetBSD Packages Technical Discussion List <tech-pkg@NetBSD.ORG>
From: Greg A. Woods <woods@weird.com>
List: tech-pkg
Date: 07/08/2002 13:56:16
I've been geting this rather annoying and incorrect warning of late:

[ On Monday, July 8, 2002 at 03:20:24 (-0400), Charlie Root wrote: ]
> Subject: sometimes daily insecurity output for Mon Jul  8 03:15:01 EDT 2002
> 
> Running /usr/sbin/download-vulnerability-list:
> Trying 3ffe:8050:201:1860:2e0:81ff:fe03:ecf2...
> Trying 204.152.184.75...
> 
> Running /usr/sbin/audit-packages:
> Package bind-8.3.3 has a denial-of-service vulnerability, see http://www.cert.org/advisories/CA-2002-15.html
> 

Well I finally got around to looking at its cause, and it appears to be
a case where audit-packages, and thus really pkg_info, is incapable of
understanding package names which include part of the version number.

I the only real solution I can think of is to set net/bind9's PKGNAME to
be "bind9", not "bind" (and fix the vulnerabilities file of course).  I
suppose net/bind8 should be changed similarly, as well as any other
package where there are two major branches of a project in active use
(i.e. supported in pkgsrc) and they currently go by the same basename.

This is, BTW, why my updates in PR#16202 included the beginnings of
confilicts for the other bind packages -- I just hadn't gotten around to
making the PKGNAME changes and I'd forgotten why I was trying to do
this!  ;-)

-- 
								Greg A. Woods

+1 416 218-0098;            <g.a.woods@ieee.org>;           <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>