--M9NhX3UHpAaciwkO
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

I have been wondering for a while why the pkg-vulnerabilities file has
to been downloaded completely via FTP each time.  Since it's largely an
append-only file, it could very well be synchronised via CVS, if the
file was somewhere in the pkgsrc/ CVS repository.  

I have been messing with the download-vulnerability-list script (to be
renamed to update-vulnerability-list), assuming the vulnerabilities file
is in the root of $PKGSRCDIR.  It cvs updates the file if it's already
there, and checks it out otherwise.  This way the file would also be
updated on a regular pkgsrc update.  (see patch in attachment)

What do you think?  

GH

-- 
:wq

--M9NhX3UHpAaciwkO
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="audit-packages.diff"

--- audit-packages/files/download-vulnerability-list.orig	2005-06-20 11:07:54.000000000 +0200
+++ audit-packages/files/download-vulnerability-list	2005-06-20 11:49:09.000000000 +0200
@@ -35,9 +35,8 @@
 
 : ${PKGVULNDIR=@PKGVULNDIR@}
 
-VUL_SOURCE="ftp://ftp.NetBSD.org/pub/NetBSD/packages/distfiles/pkg-vulnerabilities"
-NEW_VUL_LIST=pkg-vulnerabilities.$$
-EXIST_VUL_LIST=pkg-vulnerabilities
+DEFAULT_CVSROOT=:pserver:anoncvs@anoncvs.NetBSD.org:/cvsroot
+VUL_LIST=pkg-vulnerabilities
 
 if [ -r @PKG_SYSCONFDIR@/audit-packages.conf ]; then
 	echo "Reading settings from @PKG_SYSCONFDIR@/audit-packages.conf"
@@ -50,34 +49,32 @@
 fi
 
 cd ${PKGVULNDIR}
-utility=`echo "@FETCH_CMD@" | @AWK@ '{ print $1 }'`
-case "$utility" in
-*curl)	@FETCH_CMD@ ${FETCH_ARGS} -o ${NEW_VUL_LIST} ${VUL_SOURCE} ;;
-*ftp)	@FETCH_CMD@ ${FETCH_ARGS} -o ${NEW_VUL_LIST} ${VUL_SOURCE} ;;
-*wget)	@FETCH_CMD@ ${FETCH_ARGS} -O ${NEW_VUL_LIST} ${VUL_SOURCE} ;;
-*fetch)	@FETCH_CMD@ ${FETCH_ARGS} -o ${NEW_VUL_LIST} ${VUL_SOURCE} ;;
-*)	echo "Unknown fetch command - please use send-pr to send in support for your fetch command" 1>&2
-	exit 1
-	;;
-esac
+if [ -e CVS/Root ]; then
+	cvs update $VUL_LIST
+else
+	cd ..	# for some reason, the cvs _server_ doesn't accept -d . to put the files in the current directory
+	TARGETDIR=`basename ${PKGVULNDIR}`
+	cvs -d $DEFAULT_CVSROOT checkout -d ${TARGETDIR} $VUL_LIST
+fi
 
 # see if we got a file
-if [ ! -f "${NEW_VUL_LIST}" ]; then
-	echo "***WARNING*** Download of vulnerabilities file failed" 1>&2
+if [ ! -f "${VUL_LIST}" ]; then
+	echo "***WARNING*** Checkout of vulnerabilities file failed" 1>&2
+	#                   ^^^^^^^^ this won't happen on update?
 	exit 1
 fi
 
-# see if the file got damaged while it was being downloaded
+# see if the file got damaged while it was being updated
 errmsg=""
-recordedsum=`@AWK@ '$1 == "#CHECKSUM" { print $3 }' ${NEW_VUL_LIST}`
-recordedalg=`@AWK@ '$1 == "#CHECKSUM" { print $2 }' ${NEW_VUL_LIST}`
+recordedsum=`@AWK@ '$1 == "#CHECKSUM" { print $3 }' ${VUL_LIST}`
+recordedalg=`@AWK@ '$1 == "#CHECKSUM" { print $2 }' ${VUL_LIST}`
 case "$recordedsum" in
-"")	errmsg="***WARNING*** No checksum found in the downloaded vulnerabilities file"
+"")	errmsg="***WARNING*** No checksum found in the updated vulnerabilities file"
 	;;
 *)	case "$recordedalg" in
-	"")	errmsg="***WARNING*** No checksum algorithm found in the downloaded vulnerabilities file"
+	"")	errmsg="***WARNING*** No checksum algorithm found in the updated vulnerabilities file"
 		;;
-	*)	calcsum=`@AWK@ '$1 == "#CHECKSUM" || /\$NetBSD.*/ { next } { print }' ${NEW_VUL_LIST} | @DIGEST@ $recordedalg`
+	*)	calcsum=`@AWK@ '$1 == "#CHECKSUM" || /\$NetBSD.*/ { next } { print }' ${VUL_LIST} | @DIGEST@ $recordedalg`
 		if [ "$recordedsum" != "$calcsum" ]; then
 			errmsg="***WARNING*** Checksum mismatch - recorded $recordedalg checksum \"$recordedsum\", calculated checksum \"$calcsum\""
 		fi
@@ -88,30 +85,8 @@
 case "$errmsg" in
 "")	;;
 *)	echo "$errmsg" 1>&2
-	@RM@ -f ${NEW_VUL_LIST}
 	exit 1
 	;;
 esac
 
-# test to see if file has been changed
-neednew=false
-if [ -f ${EXIST_VUL_LIST} ]; then
-	oldsum=`@AWK@ '$1 == "#CHECKSUM" { print $3 }' ${EXIST_VUL_LIST}`
-	if [ "$oldsum" != "$calcsum" ]; then
-		neednew=true
-	fi
-else
-	neednew=true
-fi
-
-# if we need the new file, move it into position
-if $neednew; then
-	echo "Package vulnerabilities file has been updated"
-	@CHMOD@ a+r ${NEW_VUL_LIST}
-	@MV@ -f ${NEW_VUL_LIST} ${EXIST_VUL_LIST}
-else
-	echo "No change from existing package vulnerabilities file"
-	@RM@ -f ${NEW_VUL_LIST}
-fi
-
 exit 0

--M9NhX3UHpAaciwkO--