Update to pkg_install-20070714

Merge of audit-packages with various improvements:
* Version 20070714
	Initial release of re-write in C
	Add support for notfication of eol packages (-e)
	Multiple levels of verbosity (e.g. -v -v)
	Specify a custom config file to use (-c)
	Query running config values (-Q)
	Default to download .gz compress pkg-vulnerabilities file
	Support for .bz2 compress pkg-vulnerabilities file
	Verify signature on downloaded files (-s)

Thanks to tron@, jschauma@, agc@, joerg@ and pkgsrc-security@ for feedback
and testing.

20 files changed, 2841 insertions, 10 deletions

diff --git a/pkgtools/pkg_install/MESSAGE b/pkgtools/pkg_install/MESSAGE
new file mode 100644
index 00000000000..0a841e623ca
--- /dev/null
+++ b/pkgtools/pkg_install/MESSAGE
@@ -0,0 +1,42 @@
+===========================================================================
+$NetBSD: MESSAGE,v 1.1 2007/07/14 20:17:06 adrianp Exp $
+
+You may wish to have the vulnerabilities file downloaded daily so that
+it remains current.  This may be done by adding an appropriate entry
+to a users crontab(5) entry.  For example the entry
+
+# download vulnerabilities file
+0 3 * * * ${PREFIX}/sbin/download-vulnerability-list >/dev/null 2>&1
+
+will update the vulnerability list every day at 3AM. You may wish to do
+this more often than once a day.
+
+In addition, you may wish to run the package audit from the daily
+security script.  This may be accomplished by adding the following
+lines to /etc/security.local
+
+if [ -x ${PREFIX}/sbin/audit-packages ]; then
+        ${PREFIX}/sbin/audit-packages
+fi
+
+Alternatively this can also be acomplished by adding an entry to a users
+crontab(5) file. e.g.:
+
+# run audit-packages
+0 3 * * * ${PREFIX}/sbin/audit-packages
+
+audit-packages and/or download-vulnerability-list need not be run by
+the root user.  They will function as an unpriveleged user just so
+long as the user chosen has permmission to write the pkg-vulnerabilites
+to ${PKGVULNDIR}.
+
+A sample audit-packages.conf has been installed to:
+
+	${EGDIR}/audit-packages.conf
+
+You may want to customise this file and copy it to /etc/audit-packages.conf.
+If you want to use signature verification you will need to install GnuPG and
+set the path for GPG appropriately in your audit-packages.conf.  See
+audit-packages.conf(5) and audit-packages(8) for further information.
+
+===========================================================================
diff --git a/pkgtools/pkg_install/Makefile b/pkgtools/pkg_install/Makefile
index 635861d4a0e..b8243fa802b 100644
--- a/pkgtools/pkg_install/Makefile
+++ b/pkgtools/pkg_install/Makefile
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.131 2007/07/10 15:19:18 joerg Exp $
+# $NetBSD: Makefile,v 1.132 2007/07/14 20:17:06 adrianp Exp $
 
 # Notes to package maintainers:
 #
@@ -17,13 +17,15 @@ MAINTAINER=		pkgsrc-users@NetBSD.org
 HOMEPAGE=		http://www.pkgsrc.org/
 COMMENT=		Package management and administration tools for pkgsrc
 
+CONFLICTS+=		audit-packages-[0-9]*
+
 GNU_CONFIGURE=		yes
 CONFIGURE_ARGS+=	--with-pkgdbdir=${PKG_DBDIR:Q}
 CONFIGURE_ARGS+=	--with-ftp="\"${FETCH_CMD}"\"
 CONFIGURE_ARGS+=	--with-mtree="\"${MTREE}"\"
 CONFIGURE_ARGS+=	--with-pax="\"${PAX}"\"
 CONFIGURE_ARGS+=	--with-tar="\"${TAR}"\"
-USE_TOOLS+=		mtree pax tar
+USE_TOOLS+=		mtree pax tar gzcat
 
 # The following tools are needed by pkg_view and linkfarm.
 USE_TOOLS+=		chmod cmp cp env find grep ln mkdir rm rmdir	\
@@ -48,6 +50,8 @@ USE_NATIVE_GCC=		yes
 PKG_DELETE=		${WRKSRC}/delete/pkg_delete
 
 CPPFLAGS+=		-DDEF_UMASK=${DEF_UMASK}
+CPPFLAGS+=		-DPREFIX="\"${PREFIX}\""
+CPPFLAGS+=		-DSYSCONFDIR="\"${PKG_SYSCONFDIR}\""
 
 MAKE_ENV+=		MACHINE_ARCH=${MACHINE_ARCH:Q}
 MAKE_ENV+=		OPSYS=${OPSYS:Q}
@@ -55,6 +59,7 @@ MAKE_ENV+=		OPSYS=${OPSYS:Q}
 PKG_DBDIR?=		/var/db/pkg
 PKG_INFO=		PKG_DBDIR=${PKG_DBDIR:Q} ${PKG_INFO_CMD}
 PKG_ADMIN=		PKG_DBDIR=${PKG_DBDIR:Q} ${PKG_ADMIN_CMD}
+EGDIR=			${PREFIX}/share/examples/pkg_install
 
 PLIST_SUBST+=		PKG_DBDIR=${PKG_DBDIR:Q}
 
@@ -63,12 +68,32 @@ INSTALL_SRC=		${PKGDIR}/INSTALL
 FILES_SUBST+=		PKG_DBDIR=${PKG_DBDIR:Q}			\
 			PKG_TOOLS_BIN=${PKG_TOOLS_BIN:Q}		\
 			MKDIR=${MKDIR:Q}
+MESSAGE_SUBST+=		PKGVULNDIR=${PKG_DBDIR:Q}			\
+			EGDIR=${EGDIR:Q}
 
 .include "../../mk/bsd.prefs.mk"
 
 VERSION!=		${AWK} -F '"' '/PKGTOOLS_VERSION/ {print $$2}' \
 			${FILESDIR}/lib/version.h
 
+# Make sure download-vulnerability-list.sh picks up the right tools
+# in the right directories.
+#
+SUBST_CLASSES=		paths
+SUBST_STAGE.paths=	pre-configure
+SUBST_MESSAGE.paths=	Fixing paths in scripts.
+SUBST_FILES.paths=	audit-packages/download-vulnerability-list.sh.in
+SUBST_FILES.paths+=	audit-packages/audit-packages.1.in
+SUBST_FILES.paths+=	audit-packages/audit-packages.cat1.in
+SUBST_FILES.paths+=	audit-packages/audit-packages.conf.5.in
+SUBST_FILES.paths+=	audit-packages/audit-packages.conf.cat5.in
+SUBST_FILES.paths+=	audit-packages/audit-packages.conf.in
+SUBST_FILES.paths+=	audit-packages/download-vulnerability-list.1.in
+SUBST_FILES.paths+=	audit-packages/download-vulnerability-list.cat1.in
+SUBST_SED.paths=	-e 's,@gzcat@,${GZCAT},g'
+SUBST_SED.paths+=	-e 's,@sysconfdir@,${PKG_SYSCONFDIR},g'
+SUBST_SED.paths+=	-e 's,@prefix@/bin/gpg,${PREFIX}/bin/gpg,g'
+
 do-extract:
 	@${CP} -R ${FILESDIR} ${WRKSRC}
 
diff --git a/pkgtools/pkg_install/PLIST b/pkgtools/pkg_install/PLIST
index ed567251ddd..1c84fd1356c 100644
--- a/pkgtools/pkg_install/PLIST
+++ b/pkgtools/pkg_install/PLIST
@@ -1,4 +1,6 @@
-@comment $NetBSD: PLIST,v 1.8 2006/04/24 13:52:04 dillo Exp $
+@comment $NetBSD: PLIST,v 1.9 2007/07/14 20:17:06 adrianp Exp $
+man/cat1/audit-packages.0
+man/cat1/download-vulnerability-list.0
 man/cat1/linkfarm.0
 man/cat1/pkg_add.0
 man/cat1/pkg_admin.0
@@ -6,7 +8,10 @@ man/cat1/pkg_create.0
 man/cat1/pkg_delete.0
 man/cat1/pkg_info.0
 man/cat1/pkg_view.0
+man/cat5/audit-packages.conf.0
 man/cat5/pkg_summary.0
+man/man1/audit-packages.1
+man/man1/download-vulnerability-list.1
 man/man1/linkfarm.1
 man/man1/pkg_add.1
 man/man1/pkg_admin.1
@@ -14,7 +19,10 @@ man/man1/pkg_create.1
 man/man1/pkg_delete.1
 man/man1/pkg_info.1
 man/man1/pkg_view.1
+man/man5/audit-packages.conf.5
 man/man5/pkg_summary.5
+sbin/audit-packages
+sbin/download-vulnerability-list
 sbin/linkfarm
 sbin/pkg_add
 sbin/pkg_admin
@@ -22,3 +30,4 @@ sbin/pkg_create
 sbin/pkg_delete
 sbin/pkg_info
 sbin/pkg_view
+share/examples/pkg_install/audit-packages.conf
diff --git a/pkgtools/pkg_install/files/Makefile.in b/pkgtools/pkg_install/files/Makefile.in
index 76d65266f0c..95eb89191b5 100644
--- a/pkgtools/pkg_install/files/Makefile.in
+++ b/pkgtools/pkg_install/files/Makefile.in
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile.in,v 1.6 2004/08/31 17:40:41 jlam Exp $
+# $NetBSD: Makefile.in,v 1.7 2007/07/14 20:17:06 adrianp Exp $
 
-SUBDIRS=	lib add admin create delete info view
+SUBDIRS=	lib add admin create delete info view audit-packages
 
 all:
 	@for dir in $(SUBDIRS); do \
diff --git a/pkgtools/pkg_install/files/README b/pkgtools/pkg_install/files/README
index ef70fdf33f3..50ecf4b1a9b 100644
--- a/pkgtools/pkg_install/files/README
+++ b/pkgtools/pkg_install/files/README
@@ -1,4 +1,4 @@
-# $NetBSD: README,v 1.7 2005/05/30 13:23:31 wiz Exp $
+# $NetBSD: README,v 1.8 2007/07/14 20:17:07 adrianp Exp $
 # Original from FreeBSD, no rcs id.
 
 This is the pkg_install suite of tools for doing maintainance of
@@ -12,7 +12,8 @@ of dozen features on top.  Whee! :-)
 
 In another round of enhancements, NetBSD changes were added by
 Alistair Crooks, Hubert Feyrer, Thorsten Frueauf, Rene Hexel,
-Christian E. Hopps, Thomas Klausner, Johnny Lam, and Matthias Scheler.
+Christian E. Hopps, Thomas Klausner, Johnny Lam, Matthias Scheler and
+Adrian Portelli.
 
 When making snapshots, please modify PKGTOOLS_VERSION in lib/version.h
 to that day's date.
diff --git a/pkgtools/pkg_install/files/audit-packages/AUTHORS b/pkgtools/pkg_install/files/audit-packages/AUTHORS
new file mode 100644
index 00000000000..f8cf8bc04ae
--- /dev/null
+++ b/pkgtools/pkg_install/files/audit-packages/AUTHORS
@@ -0,0 +1,11 @@
+# $NetBSD: AUTHORS,v 1.1 2007/07/14 20:17:08 adrianp Exp $
+
+* The functions that deal with finding packages such as fixpkgname()
+  foundpkg() and checkforpkg() were taken from the pkg_install
+  set of tools.  Authors for this include Jordan Hubbard, John Kohl,
+  Alistair Crooks, Hubert Feyrer, Thorsten Frueauf, Rene Hexel,
+  Christian E. Hopps, Thomas Klausner, Johnny Lam, and Matthias Scheler.
+
+* This is basically a re-write in C of the audit-packages tool
+  by Adrian Portelli (adrianp@NetBSD.org).  The tool was originally 
+  authored by Alistair G. Crooks (agc@NetBSD.org).
diff --git a/pkgtools/pkg_install/files/audit-packages/COPYING b/pkgtools/pkg_install/files/audit-packages/COPYING
new file mode 100644
index 00000000000..06166a71426
--- /dev/null
+++ b/pkgtools/pkg_install/files/audit-packages/COPYING
@@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 2007 Adrian Portelli <adrianp@NetBSD.org>.  
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above
+ *    copyright notice, this list of conditions and the following
+ *    disclaimer in the documentation and/or other materials provided
+ *    with the distribution.
+ * 3. Neither the name of author(s) nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this 
+ *    software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
diff --git a/pkgtools/pkg_install/files/audit-packages/Makefile.in b/pkgtools/pkg_install/files/audit-packages/Makefile.in
new file mode 100644
index 00000000000..724bd1ca373
--- /dev/null
+++ b/pkgtools/pkg_install/files/audit-packages/Makefile.in
@@ -0,0 +1,85 @@
+# $NetBSD: Makefile.in,v 1.1 2007/07/14 20:17:08 adrianp Exp $
+
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+sbindir = @sbindir@
+mandir = @mandir@
+pprefix = @prefix@
+
+pkgdbdir = @pkgdbdir@
+sysconfdir = @sysconfdir@
+
+man5dir = $(mandir)/man5
+man1dir = $(mandir)/man1
+cat5dir = $(mandir)/cat5
+cat1dir = $(mandir)/cat1
+sharedir = $(prefix)/share/examples/pkg_install
+
+do_subst = 	sed -e 's,_pkgdbdir_,$(pkgdbdir),g' \
+		-e 's,_sysconfdir_,$(sysconfdir),g' \
+		-e 's,_prefix_,$(prefix),g' \
+		-e 's,_pprefix_,$(pprefix),g' \
+		-e 's,_ftp_,@ftp@,g' \
+		-e 's,_gzcat_,@gzcat@,g'
+
+CC = @CC@
+CCLD= $(CC)
+LIBS= -linstall @LIBS@
+CPPFLAGS= @CPPFLAGS@ -DHOST=\"$(CANONICAL_HOST)\" -DPKGSRC -I. -I../lib
+DEFS= @DEFS@
+CFLAGS= @CFLAGS@ -Wall
+LDFLAGS= @LDFLAGS@ -L../lib
+SUBST_FILES= audit-packages.1 download-vulnerability-list.1 audit-packages.conf audit-packages.conf.5 audit-packages.conf.cat5
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+CANONICAL_HOST = @CANONICAL_HOST@
+
+LINK= $(CCLD) $(CFLAGS) $(LDFLAGS) -o $@
+COMPILE= $(CC) $(DEFS) $(CPPFLAGS) $(CFLAGS)
+
+audit-packages_OBJS = audit-packages.o
+
+.c.o:
+	$(COMPILE) -c $< -o $@
+
+all: audit-packages
+
+audit-packages: $(audit-packages_OBJS)
+	$(LINK) $(audit-packages_OBJS) $(LIBS)
+
+subst:
+	@list='$(SUBST_FILES)'; for f in $$list; do \
+	  $(do_subst) $$f > $$f.tmp; \
+	  rm $$f; mv $$f.tmp $$f; \
+	done
+
+clean:
+	rm -f *.o audit-packages
+
+install:
+	$(INSTALL) -m 755 -d $(sbindir)
+	$(INSTALL) -m 755 -d $(man1dir)
+	$(INSTALL) -m 755 -d $(man5dir)
+	$(INSTALL) -m 755 -d $(cat1dir)
+	$(INSTALL) -m 755 -d $(cat5dir)
+	$(INSTALL) -m 755 -d $(sharedir)
+
+	$(INSTALL_PROGRAM) audit-packages $(DESTDIR)$(sbindir)/audit-packages
+	$(INSTALL_SCRIPT) download-vulnerability-list.sh \
+		$(DESTDIR)$(sbindir)/download-vulnerability-list
+	$(INSTALL_DATA) audit-packages.conf \
+		$(DESTDIR)$(sharedir)/audit-packages.conf
+	$(INSTALL_DATA) audit-packages.1 $(DESTDIR)$(man1dir)/audit-packages.1
+	$(INSTALL_DATA) audit-packages.cat1 \
+		$(DESTDIR)$(cat1dir)/audit-packages.0
+	$(INSTALL_DATA) audit-packages.conf.5 \
+		$(DESTDIR)$(man5dir)/audit-packages.conf.5
+	$(INSTALL_DATA) audit-packages.conf.cat5 \
+		$(DESTDIR)$(cat5dir)/audit-packages.conf.0
+	$(INSTALL_DATA) download-vulnerability-list.1 \
+		$(DESTDIR)$(man1dir)/download-vulnerability-list.1
+	$(INSTALL_DATA) download-vulnerability-list.cat1 \
+		$(DESTDIR)$(cat1dir)/download-vulnerability-list.0
diff --git a/pkgtools/pkg_install/files/audit-packages/README b/pkgtools/pkg_install/files/audit-packages/README
new file mode 100644
index 00000000000..d1fd769acc1
--- /dev/null
+++ b/pkgtools/pkg_install/files/audit-packages/README
@@ -0,0 +1,5 @@
+# $NetBSD: README,v 1.1 2007/07/14 20:17:08 adrianp Exp $
+
+audit-packages, an easy way to audit the current machine, checking
+for each vulnerability listed by the security officer.  If a vulnerable
+package is installed, it will be shown by output to stdout.
diff --git a/pkgtools/pkg_install/files/audit-packages/audit-packages.1.in b/pkgtools/pkg_install/files/audit-packages/audit-packages.1.in
new file mode 100644
index 00000000000..06ea4fa958c
--- /dev/null
+++ b/pkgtools/pkg_install/files/audit-packages/audit-packages.1.in
@@ -0,0 +1,336 @@
+.\" $NetBSD: audit-packages.1.in,v 1.1 2007/07/14 20:17:08 adrianp Exp $
+.\"
+.\" Copyright (c) 2003 Jeremy C. Reed.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"      This product includes software developed by Jeremy C. Reed
+.\"      for the NetBSD project.
+.\" 4. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS
+.\" OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
+.\" GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+.\" WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+.\" NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+.\" SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd July 07, 2007
+.Os
+.Dt AUDIT-PACKAGES 1
+.Sh NAME
+.Nm audit-packages ,
+.Nm download-vulnerability-list
+.Nd show vulnerabilities in installed packages
+.Sh SYNOPSIS
+.Nm
+.Op Fl desVv
+.Op Fl c Ar config_file
+.Op Fl g Ar file
+.Op Fl h Ar file
+.Op Fl K Ar pkg_dbdir
+.Op Fl n Ar package
+.Op Fl p Ar package
+.Op Fl Q Ar varname
+.Op Fl t Ar type
+.Nm download-vulnerability-list
+.Op Fl hs
+.Op Fl c Ar config_file
+.Sh DESCRIPTION
+The
+.Nm
+program compares the installed packages with the
+.Pa pkg-vulnerabilities
+file and reports any known security issues to standard output.
+This output contains the name and version of the package, the
+type of vulnerability, and an URL for further information for each
+vulnerable package.
+.Pp
+The following flags are supported:
+.Bl -tag -width Ar
+.It Fl d
+Attempt to download the vulnerabilities
+file using the
+.Pa download-vulnerability-list
+script before scanning the installed packages for vulnerabilities.
+.It Fl e
+Check for end-of-life (eol) packages.
+.It Fl s
+Verify the signature of the current
+.Pa pkg-vulnerabilities
+file.  The key used to sign the file is available from:
+.Pa ftp.netbsd.org/pub/NetBSD/security/PGP/pkgsrc-security@NetBSD.org.asc
+.Pp
+In order for this to function correctly the above key must be
+added to the gpg keyring of the user who runs 
+.Pa audit-packages -s 
+and/or
+.Pa download-vulnerability-list -s .
+In addition to this the gpg binary must be installed on your system.
+The path to the gpg binary can be set in
+.Xr audit-packages.conf 5 .
+.Pp
+The requirement for GnuPG may go away in the future when a suitable
+replacement is implemented.
+.It Fl V
+Display the version number and exit.
+.It Fl v
+Be more verbose. Specify multiple -v flags to increase verbosity.
+Currently a maximum level of three is supported.
+.It Fl c Ar conf_file
+Specify a custom
+.Ar conf_file
+configuration file to use.
+.It Fl g Ar file
+Compute the SHA512 hash on 
+.Ar file .
+.It Fl h Ar file
+Check the SHA512 hash of a
+.Ar file
+against the internally stored value.
+.It Fl K Ar pkg_dbdir
+Use package database directory
+.Ar pkg_dbdir .
+.It Fl n Ar package
+Check only the package
+.Ar package
+for vulnerabilities.
+.It Fl p Ar package
+Check only the installed package
+.Ar package
+for vulnerabilities.
+.It Fl Q Ar varname
+Display the current value of
+.Ar varname
+and exit.  Currently supported
+.Ar varname
+are GPG, PKGVULNDIR and IGNORE_URLS.
+.It Fl t Ar type
+Only check for the specified
+.Ar type
+of vulnerability.
+.El
+.Pp
+The
+.Nm download-vulnerability-list
+program downloads the
+.Pa pkg-vulnerabilities
+file from
+.Pa ftp.NetBSD.org
+using
+.Xr ftp 1
+by default.  This vulnerabilities file documents all known security issues in
+pkgsrc packages and is kept up-to-date by the
+.Nx
+pkgsrc-security team.
+.Pp
+The following flags are supported:
+.Bl -tag -width Ar
+.It Fl h
+Display program usage.
+.It Fl s
+Verify the signature of the current
+.Pa pkg-vulnerabilities
+file.  In order for this to function correctly you will need to add the
+pkgsrc Security Team key to your gpg keyring and trust it.  The key is
+available from:
+.Pa ftp.netbsd.org/pub/NetBSD/security/PGP/pkgsrc-security@NetBSD.org.asc
+In addition to this the gpg binary must be installed on your system.
+The path to the gpg binary can be set in
+.Xr audit-packages.conf 5 .
+.It Fl c Ar conf_file
+Specify a custom
+.Ar conf_file
+configuration file to use.
+.El
+.Pp
+By default
+.Nm download-vulnerability-list
+will download a compressed version of
+.Pa pkg-vulnerabilities
+from ftp.netbsd.org.  The default file downloaded is compressed using
+.Xr gzip 1 .
+The compression tool used can set in
+.Xr audit-packages.conf 5 .
+Currently only
+.Xr gzcat 1
+and
+.Xr bzcat 1
+are supported.
+.Pp
+Each line lists the package and vulnerable versions, the type of exploit,
+and an Internet address for further information:
+.Bl -item
+.It
+.Aq package pattern
+.Aq type
+.Aq url
+.El
+.Pp
+The type of exploit can be any text, although
+some common types of exploits listed are:
+.Bl -bullet -compact -offset indent
+.It
+cross-site-html
+.It
+cross-site-scripting
+.It
+denial-of-service
+.It
+eol
+.It
+file-permissions
+.It
+local-access
+.It
+local-code-execution
+.It
+local-file-read
+.It
+local-file-removal
+.It
+local-file-write
+.It
+local-root-file-view
+.It
+local-root-shell
+.It
+local-symlink-race
+.It
+local-user-file-view
+.It
+local-user-shell
+.It
+privacy-leak
+.It
+remote-code-execution
+.It
+remote-command-inject
+.It
+remote-file-creation
+.It
+remote-file-read
+.It
+remote-file-view
+.It
+remote-file-write
+.It
+remote-key-theft
+.It
+remote-root-access
+.It
+remote-root-shell
+.It
+remote-script-inject
+.It
+remote-server-admin
+.It
+remote-use-of-secret
+.It
+remote-user-access
+.It
+remote-user-file-view
+.It
+remote-user-shell
+.It
+unknown
+.It
+weak-authentication
+.It
+weak-encryption
+.It
+weak-ssl-authentication
+.El
+.Pp
+The type
+.Pa eol
+implies that the package is no longer maintained by the software vendor but
+is provided by the pkgsrc team for your convenience only.  It may contain any
+number of the above mentioned vulnerabilities.  Any packages of type eol
+are not reported by default. Run
+.Nm Fl e
+to also report on eol packages.
+.Pp
+By default, the vulnerabilities file is stored in the
+PKG_DBDIR
+directory.  On a standard installation this will be set to @pkgdbdir@.
+If you have installed pkgsrc on a supported platform this will be what
+ever you specifed when bootstrapping pkgsrc i.e. --pkgdbdir <pkgdbdir>.
+The path to the
+.Pa pkg-vulnerabilities
+file can be set in
+.Xr audit-packages.conf 5 .
+.Sh EXIT STATUS
+.Ex -std audit-packages
+.Sh FILES
+@pkgdbdir@/pkg-vulnerabilities
+.Pp
+@sysconfdir@/audit-packages.conf
+.Sh EXAMPLES
+The
+.Nm download-vulnerability-list
+command can be run via
+.Xr cron 8
+to update the
+.Pa pkg-vulnerabilities
+file daily.
+And
+.Nm
+can be run via
+.Xr cron 8
+(or with
+.Nx Ap s
+.Pa /etc/security.local
+daily security script).
+.Pp
+The
+.Nm download-vulnerability-list
+command can be forced to use IPv4 with the following setting in
+@sysconfdir@/audit-packages.conf:
+.Pp
+FETCH_ARGS="-4"
+.Pp
+The
+.Nm download-vulnerability-list
+command can be forced to use http to download the
+.Pa pkg-vulnerabilities
+file with the following setting in
+@sysconfdir@/audit-packages.conf:
+.Pp
+FETCH_PROTO="http"
+.Sh SEE ALSO
+.Xr pkg_info 1 ,
+.Xr audit-packages.conf 5 ,
+.Xr mk.conf 5 ,
+.Xr packages 7 ,
+.%T "Documentation on the NetBSD Package System"
+.Sh HISTORY
+The
+.Nm
+and
+.Nm download-vulnerability-list
+commands were originally implemented and added to
+.Nx Ap s
+pkgsrc by
+.An Alistair Crooks
+on September 19, 2000.  During April 2007
+.Nm
+was re-written by Adrian Portelli
+and support was added for compressed files and checking signatures on downloaded
+files.
+The original idea came from Roland Dowdeswell and Bill Sommerfeld.
diff --git a/pkgtools/pkg_install/files/audit-packages/audit-packages.c b/pkgtools/pkg_install/files/audit-packages/audit-packages.c
new file mode 100644
index 00000000000..1058191ae75
--- /dev/null
+++ b/pkgtools/pkg_install/files/audit-packages/audit-packages.c
@@ -0,0 +1,1093 @@
+/* $NetBSD: audit-packages.c,v 1.1 2007/07/14 20:17:08 adrianp Exp $ */
+
+/*
+ * Copyright (c) 2007 Adrian Portelli <adrianp@NetBSD.org>.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above
+ *    copyright notice, this list of conditions and the following
+ *    disclaimer in the documentation and/or other materials provided
+ *    with the distribution.
+ * 3. Neither the name of author(s) nor the names of its contributors
+ *    may be used to endorse or promote products derived from this
+ *    software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <limits.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#include <err.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/time.h>
+
+/* depending where we are being built pull in crypto support */
+#ifdef PKGSRC
+#include <nbcompat/sha2.h>
+#else
+#include <sha2.h>
+#endif
+
+#include "lib.h"
+
+#ifndef	PATH_MAX
+#  ifdef MAXPATHLEN
+#    define PATH_MAX	MAXPATHLEN
+#  else
+#    define PATH_MAX	1024
+#  endif
+#endif
+
+/* NetBSD has a special layout as it is included in the base OS */
+#ifdef NETBSD
+#  define PREFIX	"/usr"
+#  define PKGPREFIX	"/usr/pkg"
+#  define SYSCONFDIR	"/etc"
+#else
+#  define PKGPREFIX	PREFIX
+#endif
+
+/* macros */
+#define STRIP(c) 	((c) == '\n' || (c) == '\'' || (c) == '\"' || \
+			 (c) == '\t' || (c) == ' ' || (c) == '=')
+
+/* default for src/ install */
+const char DVL_BIN[] = PREFIX"/sbin/download-vulnerability-list";
+const char EOL_URL[] = "ftp://ftp.NetBSD.org/pub/NetBSD/packages/vulns";
+
+const int MSGSIZE = 1024;			/* max message size */
+const int MAXLINELEN = 4092;			/* max line length */
+const int MAXPKGNAMELEN = 1024;			/* max pkg name */
+const int FORMAT[] = {1, 1, 0};			/* file format ver */
+const int MAXVERBOSE = 3;			/* max verbosity */
+
+/* globals (from config file) */
+char *verify_bin = PKGPREFIX"/bin/gpg";		/* verify bin location */
+char *pvfile = NULL;				/* p-v file location */
+char *pvdir = NULL;				/* p-v dir location */
+char *ignore = NULL;				/* ignore urls */
+
+/* globals */
+char *conf_file = SYSCONFDIR"/audit-packages.conf"; /* config file location */
+char *program_name;				/* the program name */
+char *pkgname;					/* package name in msg */
+
+/* program defaults */
+int verbose = 0;				/* be quiet */
+Boolean eol = FALSE;				/* don't check eol */
+
+int main(int, char **);
+void *safe_calloc(size_t, size_t);
+char *ap_fixpkgname(char *);
+static int foundpkg(const char *, void *);
+static int checkforpkg(char *);
+void usage(void);
+int dvl(void);
+void old_pvfile(void);
+void pv_format(FILE *);
+char *gen_hash(char *);
+char *get_hash(char *);
+int check_hash(char *);
+int check_sig(char *);
+int pv_message(char *[]);
+int ap_ignore(char *[]);
+void show_info(char *);
+void set_pvfile(char *);
+char *clean_conf(char *);
+int get_confvalues(void);
+char *safe_strdup(char *);
+
+/*
+ * TODO:
+ *
+ * merge download-vulnerability-list(1)
+ *
+ */
+
+/*
+ * get the options for what were doing and do the actual processing of
+ * the pkg-vulnerabilities file
+ */
+int
+main(int argc, char **argv)
+{
+	char *line_ptr;
+	char *one_pkg = NULL;
+	char *one_package = NULL;
+	char *pkg_type = NULL;
+	char *pv_token = NULL;
+	char *line_tmp = NULL;
+	char *pv_entry[] = {NULL, NULL, NULL};
+	char *line = NULL;
+	char *check_hash_file = NULL;
+	char *gen_hash_file = NULL;
+	char *hash_generated = NULL;
+	char *query_var = NULL;
+
+	int ch, i;
+	int line_count = 0;
+	int retval = -1;
+	int vuln_count = 0;
+
+	Boolean ignore_found = FALSE;
+	Boolean download = FALSE;
+	Boolean pkg_installed = FALSE;
+	Boolean verify_sig = FALSE;
+	Boolean check_one = FALSE;
+	Boolean type = FALSE;
+	Boolean cli_check_hash = FALSE;
+	Boolean cli_gen_hash = FALSE;
+	Boolean vuln_found = FALSE;
+	Boolean info = FALSE;
+
+	FILE *pv;
+
+	program_name = argv[0];
+
+	setprogname(program_name);
+
+	set_pvfile(_pkgdb_getPKGDB_DIR());
+
+	opterr = 0;
+
+	while ((ch = getopt(argc, argv, ":dveK:n:h:g:c:p:st:Q:V")) != -1) {
+
+		switch (ch) {
+
+		case 'h':
+			check_hash_file = optarg;
+			cli_check_hash = TRUE;
+			break;
+
+		case 'g':
+			gen_hash_file = optarg;
+			cli_gen_hash = TRUE;
+			break;
+
+		case 'd':
+			download = TRUE;
+			break;
+
+		case 'e':
+			eol = TRUE;
+			break;
+
+		case 'K':
+			_pkgdb_setPKGDB_DIR(optarg);
+			break;
+
+		case 'n':
+			one_package = optarg;
+			check_one = TRUE;
+			pkg_installed = FALSE;
+			break;
+
+		case 'c':
+			conf_file = optarg;
+			break;
+
+		case 'p':
+			one_package = optarg;
+			check_one = TRUE;
+			pkg_installed = TRUE;
+			break;
+
+		case 's':
+			verify_sig = TRUE;
+			break;
+
+		case 't':
+			pkg_type = optarg;
+			type = TRUE;
+			break;
+
+		case 'v':
+			if (verbose <= MAXVERBOSE)
+				++verbose;
+			break;
+
+		case 'Q':
+			query_var = optarg;
+			info = TRUE;
+			break;
+
+		case 'V':
+			show_version();
+			/* not reached */
+
+		default:
+			usage();
+			break;
+		}
+	}
+	argc -= optind;
+	argc += optind;
+
+	/*
+	 * generate the hash for a specified file (-g <file>)
+	 *
+	 * this is purely for download-vulnerability-list, users
+	 * should not be directly calling audit-packages with -g <file>.
+	 */
+	if (cli_gen_hash == TRUE) {
+
+		hash_generated = gen_hash(gen_hash_file);
+		fprintf(stdout, "%s\n", hash_generated);
+
+		exit(EXIT_SUCCESS);
+	}
+
+	/*
+	 * check the hash and/or sig for a specified file
+	 *
+	 * if -h <file> is given then just the hash is checked
+	 * but if -s -f <file> are given then both the hash and the
+	 * sig are checked.  this is purely for
+	 * download-vulnerability-list, users should not be directly
+	 * calling audit-packages with -h <file> or -s -h <file>.
+	 */
+	if (cli_check_hash == TRUE) {
+
+		retval = check_hash(check_hash_file);
+
+		if (retval != 0) {
+			exit(EXIT_FAILURE);
+		} else {
+			if (verify_sig == TRUE) {
+				retval = check_sig(check_hash_file);
+
+				if (retval != 0) {
+					exit(EXIT_FAILURE);
+				} else {
+					exit(EXIT_SUCCESS);
+				}
+			} else {
+				exit(EXIT_SUCCESS);
+			}
+		}
+	}
+
+	/* tell the user where we are reading the config file from */
+	if (verbose >= 1)
+		fprintf(stderr, "Reading settings from: %s\n", conf_file);
+
+	/* get the config file values */
+	retval = get_confvalues();
+
+	/* if we found some IGNORE_URLS lines */
+	if (ignore != NULL)
+		ignore_found = TRUE;
+
+	if (verbose >= 2) {
+		fprintf(stderr, "debug2: Using PKGDB_DIR: %s\n", _pkgdb_getPKGDB_DIR());
+		fprintf(stderr, "debug2: Using pkg-vulnerabilities file: %s\n", pvfile);
+		fprintf(stderr, "debug2: Using verify tool: %s\n", verify_bin);
+		fprintf(stderr, "debug2: Using ignore directives: %s\n", ignore);
+	}
+
+	/* now that we have read in the config file we can show the info */
+	if (info == TRUE) {
+		show_info(query_var);
+		exit(EXIT_SUCCESS);
+	}
+
+	/* we need to download the file first and check it went ok */
+	if (download == TRUE) {
+		retval = dvl();
+
+		if (retval != 0)
+			exit(EXIT_FAILURE);
+	}
+
+	/* check for an old vulnerabilities file if we're being verbose */
+	if ((verbose >= 1) && (download == FALSE))
+		old_pvfile();
+
+	/* open pvfile */
+	if ((pv = fopen(pvfile, "r")) == NULL) {
+		errx(EXIT_FAILURE, "Unable to open: %s", pvfile);
+	}
+
+	/* check the #FORMAT from the pkg-vulnerabilities file */
+	pv_format(pv);
+
+	rewind(pv);
+
+	/* check the hashes */
+	retval = check_hash(pvfile);
+
+	if (retval != 0) {
+		errx(EXIT_FAILURE, "Hash mismatch.");
+	} else {
+		if (verbose >= 2)
+			fprintf(stderr, "debug2: Hash match.\n");
+	}
+
+	/* do signature checking - if required */
+	if (verify_sig == TRUE) {
+		retval = check_sig(pvfile);
+
+		if (retval != 0) {
+			errx(EXIT_FAILURE, "Signature verification failure.");
+		}
+	}
+
+	/*
+	 * this is for -p:
+	 * (Check a specific installed package for vulnerabilities.)
+	 * we run pkg_info to get the package name into one_pkg
+	 * and to check if it's actually installed.
+	 *
+	 * if we find that it's not installed then just exit silently.
+	 */
+	if ((pkg_installed == TRUE) && (check_one == TRUE)) {
+		if ((checkforpkg(one_package)) == 0) {
+			if (verbose >= 3)
+				fprintf(stderr, "debug3: Package found to be installed (-p): %s\n", one_package);
+		} else {
+			if (verbose >= 3)
+				fprintf(stderr, "debug3: Package not found to be installed (-p): %s\n", one_package);
+			exit(EXIT_SUCCESS);
+		}
+	}
+
+	/*
+	 * this is for -n
+	 * Check a specific installed package for vulnerabilities.
+	 *
+	 * here we don't care if it's installed or not.
+	 */
+	if ((pkg_installed == FALSE) && (check_one == TRUE)) {
+		one_pkg = one_package;
+		pkgname = one_package;
+
+		if (verbose >= 3)
+			fprintf(stderr, "debug3: Looking for package (-n): %s\n", one_pkg);
+	}
+
+	line = safe_calloc(MAXLINELEN, sizeof(char));
+	rewind(pv);
+
+	while ((line_ptr = fgets(line, MAXLINELEN, pv)) != NULL) {
+
+		++line_count;
+
+		/* what we're not interested in */
+		if ((line[0] == '#') ||
+		    (line[0] == '\n') ||
+		    (strncmp(line, "-----BEGIN", 10) == 0) ||
+		    (strncmp(line, "Hash:", 5) == 0))
+			continue;
+
+		/* effective EOF */
+		if (strncmp(line, "Version:", 8) == 0)
+			break;
+
+		i = 0;
+
+		line_tmp = safe_strdup(line);
+
+		if (line_tmp[strlen(line_tmp) - 1] == '\n')
+			line_tmp[strlen(line_tmp) - 1] = ' ';
+
+		do {
+			pv_token = strsep(&line_tmp, " \t");
+
+			/*
+			 * pv_entry[0] = pattern
+			 * pv_entry[1] = type
+			 * pv_entry[2] = URL
+			 */
+
+			/* loop processing all tokens into pv_entry[] */
+			if ((pv_token != NULL) &&
+			    (pv_token[0] != '\0') &&
+			    (pv_token[0] != ' ')) {
+				/* three tokens make a valid entry */
+				pv_entry[i] = pv_token;
+				++i;
+			}
+		} while ((pv_token != NULL) && (i <= 2));
+
+		/* look for invalid (short) entries */
+		if (i < 3) {
+			errx(EXIT_FAILURE, "Invalid pkg-vulnerabilities entry rejected on line %i.", line_count);
+		}
+
+		/* if doing type checking, ignore what we don't want to see */
+		if (type == TRUE) {
+			if (strcmp(pv_entry[1], pkg_type) != 0)
+				continue;
+		}
+
+		/* deal with URLs that we're ignorning */
+		if (ignore_found == TRUE) {
+			retval = ap_ignore(pv_entry);
+
+			/* if we got an ignore hit then stop here */
+			if (retval == 1)
+				continue;
+		}
+
+		if (check_one == TRUE) {
+
+			/*
+			 * if we're checking for just one package (i.e.
+			 * check_one) regardless if it's installed or not
+			 * (i.e. -n and -p) then use pmatch
+			 * to see if we have a hit using pattern
+			 * matching.
+			 */
+
+			if ((pmatch(pv_entry[0], one_package)) == 1) {
+
+				/* flag to indicate we have found something */
+				vuln_found = TRUE;
+			}
+
+		} else {
+
+			/*
+			 * if we're not checking for a specific package
+			 * then run checkforpkg to see if the
+			 * pattern in pv_entry[0] is installed.
+			 */
+
+			if ((checkforpkg(pv_entry[0])) == 0) {
+
+				/* flag to indicate we have found something */
+				vuln_found = TRUE;
+			}
+		}
+
+		/* display the messages for all the vulnerable packages seen */
+		if (vuln_found == TRUE) {
+
+			/* EOL or vulnerable message and increment the count */
+			retval = pv_message(pv_entry);
+			vuln_count = vuln_count + retval;
+
+			/* reset the found flag */
+			vuln_found = FALSE;
+		}
+	}
+
+	/* bail if ferror is set */
+	if (ferror(pv) != 0) {
+		errx(EXIT_FAILURE, "Unable to read specified pkg-vulnerabilities file: %s", pvfile);
+	}
+
+	fclose(pv);
+
+	free(line);
+
+	if ((verbose >= 1) && (vuln_count == 0))
+		fprintf(stderr, "No vulnerable packages found.\n");
+
+	if (vuln_count == 0) {
+		return EXIT_SUCCESS;
+	} else {
+		return EXIT_FAILURE;
+	}
+}
+
+/* wrap calloc in some common error checking */
+void *
+safe_calloc(size_t number, size_t size)
+{
+	void *ptr;
+
+	ptr = calloc(number, size);
+
+	if (ptr == NULL) {
+		errx(EXIT_FAILURE, "Unable to allocate memory at line: %d.", __LINE__);
+	}
+
+	return ptr;
+}
+
+/* fix a pkgname by removing a directory prefix (if any) */
+char *
+ap_fixpkgname(char *fixpkgname)
+{
+	char *tmppkgname = NULL;
+	char *retval = NULL;
+
+	retval = safe_calloc(MAXPKGNAMELEN, sizeof(char));
+
+	/* get the last separator */
+	tmppkgname = strrchr(fixpkgname, '/');
+
+	/* if there's no separator present then we assume the name is ok */
+	if (tmppkgname == NULL) {
+		retval = fixpkgname;
+	} else {
+		/* strrchr will leave the first separator still in the string */
+		if (tmppkgname[0] == '/')
+			strlcpy(retval, &tmppkgname[1], MAXPKGNAMELEN);
+	}
+
+	return retval;
+}
+
+/* clean a valid line from the configuration file */
+char *
+clean_conf(char *conf_line)
+{
+	int i = 0;
+	char *token = NULL;
+	char *cp;
+
+	if (((cp = strchr(conf_line, '\n')) == NULL) ||
+	    ((cp = strchr(conf_line, '=')) == NULL)) {
+		/* no newline or no '=' */
+		errx(EXIT_FAILURE, "Malformed entry in audit-packages.conf file.");
+	}
+
+	/* split the line up and get what we need */
+	token = strchr(conf_line, '=');
+
+	/* remove any leading characters we don't want */
+	while (STRIP(*token)) {
+		token++;
+	}
+
+	/* remove any trailing characters we don't want */
+	for (i = (strlen(token) - 1); i > 0; --i) {
+		if (STRIP(token[i])) {
+			token[i] = '\0';
+		} else {
+			i = 0;
+		}
+	}
+
+	return token;
+}
+
+/* read in our values from a configuration file */
+int
+get_confvalues(void)
+{
+	FILE *conf;
+	char *line_ptr = NULL;
+	char *line = NULL;
+	char *retval = NULL;
+
+	if ((conf = fopen(conf_file, "r")) == NULL) {
+		if (verbose >= 1)
+			fprintf(stderr, "Unable to open specified configuration file: %s\n", conf_file);
+		return 0;
+	}
+
+	line = safe_calloc(MAXLINELEN, sizeof(char));
+
+	while ((line_ptr = fgets(line, MAXLINELEN, conf)) != NULL) {
+
+		/* what we're not interested in */
+		if ((line[0] == '#') || (line[0] == '\n'))
+			continue;
+
+		if (strncmp(line, "IGNORE_URLS", 11) == 0) {
+			retval = clean_conf(line);
+			if (retval != NULL)
+				ignore = safe_strdup(retval);
+		}
+		else if (strncmp(line, "GPG", 3) == 0) {
+			retval = clean_conf(line);
+			if (retval != NULL)
+				verify_bin = retval;
+		}
+		else if (strncmp(line, "PKGVULNDIR", 9) == 0) {
+			retval = clean_conf(line);
+			if (retval != NULL)
+				set_pvfile(retval);
+		}
+
+		retval = NULL;
+	}
+
+	/* bail if eof has not been set or ferror is set */
+	if ((feof(conf) == 0) || (ferror(conf) != 0)) {
+		errx(EXIT_FAILURE, "Unable to read specified configuration file: %s", conf_file);
+	}
+
+	free(line);
+	fclose(conf);
+
+	return 0;
+}
+
+/* called by checkforpkg to see if a package exists */
+static int
+foundpkg(const char *found, void *vp)
+{
+	char *data = vp;
+	char *buf;
+	int retval = 0;
+
+	buf = safe_calloc(PATH_MAX, sizeof(char));
+
+	/* we only want to display this if it really is a directory */
+	retval = snprintf(buf, PATH_MAX, "%s/%s", data, found);
+
+	if (retval < 0 || retval >= PATH_MAX)
+		return 0;
+
+	if (!(isdir(buf) || islinktodir(buf)))
+		return -1;	/* return value seems to be ignored for now */
+
+	pkgname = ap_fixpkgname(buf);
+	free(buf);
+
+	return 0;
+}
+
+/* check to see if a package exists */
+static int
+checkforpkg(char *one_package)
+{
+	char *dbdir = NULL;
+	int retval;
+	char *buf = NULL;
+	char *try = NULL;
+
+	dbdir = _pkgdb_getPKGDB_DIR();
+
+	/* expensive (pattern) match */
+	if (strpbrk(one_package, "<>[]?*{")) {
+		retval = findmatchingname(dbdir, one_package, foundpkg, dbdir);
+
+		if (retval == -1) {
+			return 1;
+		} else {
+			return !retval;
+		}
+	}
+
+	buf = safe_calloc(PATH_MAX, sizeof(char));
+
+	/* simple match */
+	(void) snprintf(buf, PATH_MAX, "%s/%s", dbdir, one_package);
+	retval = !(isdir(buf) || islinktodir(buf));
+
+	pkgname = ap_fixpkgname(buf);
+
+	if (retval == 1) {
+
+		/* found nothing - try 'pkg-[0-9]*' */
+		try = safe_calloc(PATH_MAX, sizeof(char));
+
+		snprintf(try, PATH_MAX, "%s-[0-9]*", one_package);
+		if (findmatchingname(dbdir, try, foundpkg, dbdir) > 0)
+			retval = 0;
+	}
+
+	free(buf);
+	free(try);
+
+	return retval;
+}
+
+/* usage message for this program */
+void
+usage(void)
+{
+	fprintf(stderr, "Usage: %s [-desVv] [-c config_file] [-g file] [-h file] [-K pkg_dbdir] [-n package] [-p package] [-Q varname ] [-t type]\n", program_name);
+	fprintf(stderr, "\t-d : Run the download-vulnerability-list script before anything else.\n");
+	fprintf(stderr, "\t-e : Check for end-of-life (eol) packages.\n");
+	fprintf(stderr, "\t-s : Verify the signature of the pkg-vulnerabilities file.\n");
+	fprintf(stderr, "\t-V : Display version and exit.\n");
+	fprintf(stderr, "\t-v : Be more verbose. Specify multiple -v flags to increase verbosity.\n");
+	fprintf(stderr, "\t-c : Specify a custom configuration file to use.\n");
+	fprintf(stderr, "\t-g : Compute the hash of a file.\n");
+	fprintf(stderr, "\t-h : Check the hash of a file against the internally stored value.\n");
+	fprintf(stderr, "\t-K : Use pkg_dbdir as PKG_DBDIR.\n");
+	fprintf(stderr, "\t-n : Check a specific package for vulnerabilities.\n");
+	fprintf(stderr, "\t-p : Check a specific installed package for vulnerabilities.\n");
+	fprintf(stderr, "\t-Q : Display the current value of varname and exit.\n");
+	fprintf(stderr, "\t-t : Only check for a specific type of vulnerability.\n");
+	exit(EXIT_SUCCESS);
+}
+
+/* we need to download the file first */
+int
+dvl(void)
+{
+	int retval = -1;
+
+	/* execute download-vulnerability-list */
+	retval = fexec(DVL_BIN, NULL);
+
+	if (retval != 0) {
+		errx(EXIT_FAILURE, "Failure running: %s", DVL_BIN);
+	}
+
+	return retval;
+}
+
+/* check for an old vulnerabilities file if we're being verbose */
+void
+old_pvfile(void)
+{
+	float t_diff;
+	int long t_current, t_pvfile;
+	struct stat pvstat;
+	struct timeval now_time = {0, 0};
+
+	/* we already know it exists */
+	stat(pvfile, &pvstat);
+
+	if ((gettimeofday(&now_time, NULL)) != 0) {
+		warnx("Unable to get current time.  You pkg-vulnerabilities file may be out of date.");
+	} else {
+		/* difference between the file and now */
+		t_current = now_time.tv_sec;
+		t_pvfile = pvstat.st_ctimespec.tv_sec;
+		t_diff = (((((float) t_current - (float) t_pvfile) / 60) / 60) / 24);
+
+		if (t_diff >= 7)
+			fprintf(stderr, "%s more than a week old, continuing...\n", pvfile);
+
+		if (verbose >= 2)
+			fprintf(stderr, "debug2: pkg-vulnerabilities file %.2f day(s) old.\n", t_diff);
+	}
+}
+
+/* get the #FORMAT from the pkg-vulnerabilities file */
+void
+pv_format(FILE * pv)
+{
+	char *line = NULL;
+	char *line_ptr;
+
+	int major = 0;
+	int minor = 0;
+	int teeny = 0;
+	int format_found = 0;
+
+	if (verbose >= 3)
+		fprintf(stderr, "debug3: File format required: #FORMAT %i.%i.%i\n", FORMAT[0], FORMAT[1], FORMAT[2]);
+
+	line = safe_calloc(MAXLINELEN, sizeof(char));
+
+	while ((line_ptr = fgets(line, MAXLINELEN, pv)) != NULL) {
+
+		/* this time round this is all we're interested in */
+		if (strncmp(line, "#FORMAT", 6) == 0) {
+
+			sscanf(line, "#FORMAT %i.%i.%i",
+			    &major, &minor, &teeny);
+
+			if (line[strlen(line) - 1] == '\n')
+				line[strlen(line) - 1] = '\0';
+
+			format_found = 1;
+
+			if (verbose >= 3)
+				fprintf(stdout, "debug3: File format detected: %s\n", line);
+
+			break;
+		}
+	}
+
+	/* compare the #FORMAT with what we expect to see */
+	if (format_found == 1) {
+		if ((major < FORMAT[0]) ||
+		    (minor < FORMAT[1]) ||
+		    (teeny < FORMAT[2])) {
+			errx(EXIT_FAILURE, "Your pkg-vulnerabilites file is out of date.\nPlease update audit-packages and run download-vulnerability-list again.");
+		}
+	} else {
+		errx(EXIT_FAILURE, "No file format version found in: %s.\nPlease update audit-packages and run download-vulnerability-list again.", pvfile);
+	}
+
+	free(line);
+}
+
+/* extract the stored hash in the pkg-vulnerabilities file */
+char *
+get_hash(char *hash_input)
+{
+	char *line = NULL;
+	char *hash = NULL;
+	char *line_ptr = NULL;
+
+	int hash_found = 0;
+
+	FILE *hash_in;
+
+	if ((hash_in = fopen(hash_input, "r")) == NULL) {
+		errx(EXIT_FAILURE, "Unable to open: %s", hash_input);
+	}
+
+	line = safe_calloc(MAXLINELEN, sizeof(char));
+
+	while ((line_ptr = fgets(line, MAXLINELEN, hash_in)) != NULL) {
+		if (strncmp(line, "#CHECKSUM SHA512", 16) == 0) {
+
+			hash = safe_calloc(SHA512_DIGEST_STRING_LENGTH, sizeof(char));
+			sscanf(line, "#CHECKSUM SHA512 %129s", hash);
+			hash_found = 1;
+
+			break;
+		}
+	}
+
+	if (hash_found == 0) {
+		errx(EXIT_FAILURE, "No hash found in: %s\nPlease update audit-packages and run download-vulnerability-list again.", pvfile);
+	}
+
+	fclose(hash_in);
+	free(line);
+
+	return hash;
+}
+
+/* check the internally stored hash against the computed hash (-h <file>) */
+int
+check_hash(char *hash_input)
+{
+	int retval = -1;
+	char *hash_stored = NULL;
+	char *hash_generated = NULL;
+
+	hash_generated = gen_hash(hash_input);
+
+	/* if gen_hash() failed then return now */
+	if (hash_generated == NULL)
+		return retval;
+
+	if (verbose >= 2)
+		fprintf(stderr, "debug2: Hash generated: %s\n", hash_generated);
+
+	hash_stored = get_hash(hash_input);
+
+	/* if get_hash() failed then return now */
+	if (hash_stored == NULL)
+		return retval;
+
+	if (verbose >= 2)
+		fprintf(stderr, "debug2: Hash stored: %s\n", hash_stored);
+
+	/* do the hash comparison */
+	if (strncmp(hash_generated, hash_stored, SHA512_DIGEST_STRING_LENGTH) == 0) {
+		retval = 0;
+	} else {
+		retval = -1;
+	}
+
+	return retval;
+}
+
+/* do the hash calculation on specified input */
+char *
+gen_hash(char *hash_input)
+{
+	char *hash_result = NULL;
+	char *hash_calc = NULL;
+	char *line = NULL;
+	char *line_ptr;
+
+	int j = 0;
+	int i = 0;
+
+	FILE *hash_in;
+
+	if ((hash_in = fopen(hash_input, "r")) == NULL) {
+		errx(EXIT_FAILURE, "Unable to open: %s", hash_input);
+	}
+
+	SHA512_CTX hash_ctx;
+	SHA512_Init(&hash_ctx);
+
+	line = safe_calloc(MAXLINELEN, sizeof(char));
+
+	while ((line_ptr = fgets(line, MAXLINELEN, hash_in)) != NULL) {
+
+		/* what we're not interested in */
+		if ((strncmp(line, "# $NetBSD:", 10) == 0) ||
+		    (line[0] == '\n') ||
+		    (strncmp(line, "-----BEGIN", 10) == 0) ||
+		    (strncmp(line, "Hash:", 5) == 0) ||
+		    (strncmp(line, "#CHECKSUM", 9) == 0 ))
+			continue;
+
+		/* effective EOF */
+		if (strncmp(line, "Version:", 8) == 0)
+			break;
+
+		SHA512_Update(&hash_ctx, (unsigned char *)line, strlen(line));
+	}
+
+	/* get the hash_result into a human readable string */
+	hash_calc = safe_calloc(SHA512_DIGEST_STRING_LENGTH, sizeof(char));
+	hash_result = safe_calloc(SHA512_DIGEST_LENGTH, sizeof(char));
+
+	SHA512_Final((unsigned char *)hash_result, &hash_ctx);
+
+	for (i = 0; i < SHA512_DIGEST_LENGTH; ++i) {
+		sprintf(&hash_calc[j], "%02x", hash_result[i] & 0xFF);
+		j = j + 2;
+	}
+
+	fclose(hash_in);
+	free(hash_result);
+	free(line);
+
+	return hash_calc;
+}
+
+/* do signature checking - if required */
+int
+check_sig(char *sig_input)
+{
+	int retval = -1;
+
+	if (verbose >= 3)
+		fprintf(stderr, "debug3: Attempting to verify signature.\n");
+
+	/* execute our verification tool */
+	retval = fexec(verify_bin, "--verify", "--batch", "--no-options", sig_input, NULL);
+
+	return retval;
+}
+
+/* print the messages for eol and vulnerable packages */
+int
+pv_message(char *pv_entry[])
+{
+	int retval = 0;
+
+	/* deal with eol'ed packages */
+	if (strcmp(pv_entry[1], "eol") == 0) {
+		if (eol == TRUE) {
+			fprintf(stderr, "Package %s has reached end-of-life (eol), see %s/eol-packages\n", pv_entry[0], EOL_URL);
+		}
+	} else {
+		/* return that we found a vulnerable package */
+		retval = 1;
+
+		/* Just make sure we display _something_ useful here */
+		if (pkgname == NULL)
+			pkgname = pv_entry[0];
+
+		fprintf(stderr, "Package %s has a %s vulnerability, see %s\n", pkgname, pv_entry[1], pv_entry[2]);
+	}
+
+	return retval;
+}
+
+/* deal with URLs that we're ignorning */
+int
+ap_ignore(char *pv_entry[])
+{
+	char *ignore_tmp = NULL;
+	char *ig_token = NULL;
+
+	int retval = 0;
+	int ignore_hit = 0;
+
+	ignore_tmp = safe_strdup(ignore);
+
+	while ((ig_token = strsep(&ignore_tmp, " ")) != NULL) {
+
+		/* ignore empty tokens as well */
+		if (ig_token[0] != '\0') {
+			/* see we have an IGNORE_URLS hit */
+			if (strcmp(pv_entry[2], ig_token) == 0) {
+				ignore_hit = 1;
+				break;
+			}
+		}
+	}
+
+	/* if we're seen an IGNORE_URLS then don't bother going on */
+	if (ignore_hit == 1) {
+		if (verbose >= 1) {
+			fprintf(stderr, "Ignoring vulnerability for %s with pattern: %s\n", pv_entry[2], pv_entry[0]);
+		}
+
+		/* return that we got an ignore hit */
+		retval = 1;
+	}
+
+	return retval;
+}
+
+/* at the moment we really don't need to clean anything up */
+void
+cleanup(int signo)
+{
+}
+
+/* print what the current settings are */
+void
+show_info(char *varname)
+{
+	if (strncmp(varname, "GPG", 3) == 0) {
+		fprintf(stdout, "%s\n", verify_bin);
+	}
+	else if (strncmp(varname, "PKGVULNDIR", 9) == 0) {
+		fprintf(stdout, "%s\n", pvdir);
+	}
+	else if (strncmp(varname, "IGNORE_URLS", 11) == 0) {
+		fprintf(stdout, "%s\n", ignore);
+	}
+}
+
+/* set the location for the pkg-vulnerabilities file */
+void
+set_pvfile(char *vuln_dir)
+{
+	char *pvloc = NULL;
+	size_t retval;
+	const char pvname[] = "/pkg-vulnerabilities";
+
+	pvloc = safe_calloc(MAXPATHLEN, sizeof(char));
+	retval = strlcpy(pvloc, vuln_dir, MAXPATHLEN);
+	retval = strlcat(pvloc, pvname, MAXPATHLEN);
+
+	pvdir = safe_strdup(vuln_dir);
+	pvfile = safe_strdup(pvloc);
+
+	free(pvloc);
+}
+
+/* duplicate a string and check the return value */
+char *
+safe_strdup(char *dupe)
+{
+	char *retval;
+
+	if ((retval = strdup(dupe)) == NULL) {
+		errx(EXIT_FAILURE, "Unable to allocate memory at line: %d.", __LINE__);
+	}
+
+	return retval;
+}
diff --git a/pkgtools/pkg_install/files/audit-packages/audit-packages.cat1.in b/pkgtools/pkg_install/files/audit-packages/audit-packages.cat1.in
new file mode 100644
index 00000000000..2a84417e27c
--- /dev/null
+++ b/pkgtools/pkg_install/files/audit-packages/audit-packages.cat1.in
@@ -0,0 +1,183 @@
+AUDIT-PACKAGES(1)       NetBSD General Commands Manual       AUDIT-PACKAGES(1)
+
+NNAAMMEE
+     aauuddiitt--ppaacckkaaggeess, ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt -- show vulnerabilities in
+     installed packages
+
+SSYYNNOOPPSSIISS
+     aauuddiitt--ppaacckkaaggeess [--ddeessVVvv] [--cc _c_o_n_f_i_g___f_i_l_e] [--gg _f_i_l_e] [--hh _f_i_l_e]
+                    [--KK _p_k_g___d_b_d_i_r] [--nn _p_a_c_k_a_g_e] [--pp _p_a_c_k_a_g_e] [--QQ _v_a_r_n_a_m_e]
+                    [--tt _t_y_p_e]
+     ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt [--hhss] [--cc _c_o_n_f_i_g___f_i_l_e]
+
+DDEESSCCRRIIPPTTIIOONN
+     The aauuddiitt--ppaacckkaaggeess program compares the installed packages with the
+     _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file and reports any known security issues to stan-
+     dard output.  This output contains the name and version of the package,
+     the type of vulnerability, and an URL for further information for each
+     vulnerable package.
+
+     The following flags are supported:
+
+     --dd            Attempt to download the vulnerabilities file using the
+                   _d_o_w_n_l_o_a_d_-_v_u_l_n_e_r_a_b_i_l_i_t_y_-_l_i_s_t script before scanning the
+                   installed packages for vulnerabilities.
+
+     --ee            Check for end-of-life (eol) packages.
+
+     --ss            Verify the signature of the current _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s
+                   file.  The key used to sign the file is available from:
+                   _f_t_p_._n_e_t_b_s_d_._o_r_g_/_p_u_b_/_N_e_t_B_S_D_/_s_e_c_u_r_i_t_y_/_P_G_P_/_p_k_g_s_r_c_-_s_e_c_u_r_i_t_y_@_N_e_t_B_S_D_._o_r_g_._a_s_c
+
+                   In order for this to function correctly the above key must
+                   be added to the gpg keyring of the user who runs
+                   _a_u_d_i_t_-_p_a_c_k_a_g_e_s _-_s and/or _d_o_w_n_l_o_a_d_-_v_u_l_n_e_r_a_b_i_l_i_t_y_-_l_i_s_t _-_s.
+                   In addition to this the gpg binary must be installed on
+                   your system.  The path to the gpg binary can be set in
+                   audit-packages.conf(5).
+
+                   The requirement for GnuPG may go away in the future when a
+                   suitable replacement is implemented.
+
+     --VV            Display the version number and exit.
+
+     --vv            Be more verbose. Specify multiple -v flags to increase ver-
+                   bosity.  Currently a maximum level of three is supported.
+
+     --cc _c_o_n_f___f_i_l_e  Specify a custom _c_o_n_f___f_i_l_e configuration file to use.
+
+     --gg _f_i_l_e       Compute the SHA512 hash on _f_i_l_e.
+
+     --hh _f_i_l_e       Check the SHA512 hash of a _f_i_l_e against the internally
+                   stored value.
+
+     --KK _p_k_g___d_b_d_i_r  Use package database directory _p_k_g___d_b_d_i_r.
+
+     --nn _p_a_c_k_a_g_e    Check only the package _p_a_c_k_a_g_e for vulnerabilities.
+
+     --pp _p_a_c_k_a_g_e    Check only the installed package _p_a_c_k_a_g_e for vulnerabili-
+                   ties.
+
+     --QQ _v_a_r_n_a_m_e    Display the current value of _v_a_r_n_a_m_e and exit.  Currently
+                   supported _v_a_r_n_a_m_e are GPG, PKGVULNDIR and IGNORE_URLS.
+
+     --tt _t_y_p_e       Only check for the specified _t_y_p_e of vulnerability.
+
+     The ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt program downloads the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s
+     file from _f_t_p_._N_e_t_B_S_D_._o_r_g using ftp(1) by default.  This vulnerabilities
+     file documents all known security issues in pkgsrc packages and is kept
+     up-to-date by the NetBSD pkgsrc-security team.
+
+     The following flags are supported:
+
+     --hh            Display program usage.
+
+     --ss            Verify the signature of the current _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s
+                   file.  In order for this to function correctly you will
+                   need to add the pkgsrc Security Team key to your gpg
+                   keyring and trust it.  The key is available from:
+                   _f_t_p_._n_e_t_b_s_d_._o_r_g_/_p_u_b_/_N_e_t_B_S_D_/_s_e_c_u_r_i_t_y_/_P_G_P_/_p_k_g_s_r_c_-_s_e_c_u_r_i_t_y_@_N_e_t_B_S_D_._o_r_g_._a_s_c
+                   In addition to this the gpg binary must be installed on
+                   your system.  The path to the gpg binary can be set in
+                   audit-packages.conf(5).
+
+     --cc _c_o_n_f___f_i_l_e  Specify a custom _c_o_n_f___f_i_l_e configuration file to use.
+
+     By default ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt will download a compressed version
+     of _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s from ftp.netbsd.org.  The default file downloaded
+     is compressed using gzip(1).  The compression tool used can set in
+     audit-packages.conf(5).  Currently only gzcat(1) and bzcat(1) are sup-
+     ported.
+
+     Each line lists the package and vulnerable versions, the type of exploit,
+     and an Internet address for further information:
+
+     <package pattern> <type> <url>
+
+     The type of exploit can be any text, although some common types of
+     exploits listed are:
+           ++oo   cross-site-html
+           ++oo   cross-site-scripting
+           ++oo   denial-of-service
+           ++oo   eol
+           ++oo   file-permissions
+           ++oo   local-access
+           ++oo   local-code-execution
+           ++oo   local-file-read
+           ++oo   local-file-removal
+           ++oo   local-file-write
+           ++oo   local-root-file-view
+           ++oo   local-root-shell
+           ++oo   local-symlink-race
+           ++oo   local-user-file-view
+           ++oo   local-user-shell
+           ++oo   privacy-leak
+           ++oo   remote-code-execution
+           ++oo   remote-command-inject
+           ++oo   remote-file-creation
+           ++oo   remote-file-read
+           ++oo   remote-file-view
+           ++oo   remote-file-write
+           ++oo   remote-key-theft
+           ++oo   remote-root-access
+           ++oo   remote-root-shell
+           ++oo   remote-script-inject
+           ++oo   remote-server-admin
+           ++oo   remote-use-of-secret
+           ++oo   remote-user-access
+           ++oo   remote-user-file-view
+           ++oo   remote-user-shell
+           ++oo   unknown
+           ++oo   weak-authentication
+           ++oo   weak-encryption
+           ++oo   weak-ssl-authentication
+
+     The type _e_o_l implies that the package is no longer maintained by the
+     software vendor but is provided by the pkgsrc team for your convenience
+     only.  It may contain any number of the above mentioned vulnerabilities.
+     Any packages of type eol are not reported by default. Run aauuddiitt--ppaacckkaaggeess
+     --ee to also report on eol packages.
+
+     By default, the vulnerabilities file is stored in the PKG_DBDIR direc-
+     tory.  On a standard installation this will be set to @pkgdbdir@.  If you
+     have installed pkgsrc on a supported platform this will be what ever you
+     specifed when bootstrapping pkgsrc i.e. --pkgdbdir <pkgdbdir>.  The path
+     to the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file can be set in audit-packages.conf(5).
+
+EEXXIITT SSTTAATTUUSS
+     The aauuddiitt--ppaacckkaaggeess utility exits 0 on success, and >0 if an error occurs.
+
+FFIILLEESS
+     @pkgdbdir@/pkg-vulnerabilities
+
+     @sysconfdir@/audit-packages.conf
+
+EEXXAAMMPPLLEESS
+     The ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt command can be run via cron(8) to update
+     the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file daily.  And aauuddiitt--ppaacckkaaggeess can be run via
+     cron(8) (or with NetBSD's _/_e_t_c_/_s_e_c_u_r_i_t_y_._l_o_c_a_l daily security script).
+
+     The ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt command can be forced to use IPv4 with
+     the following setting in @sysconfdir@/audit-packages.conf:
+
+     FETCH_ARGS="-4"
+
+     The ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt command can be forced to use http to
+     download the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file with the following setting in
+     @sysconfdir@/audit-packages.conf:
+
+     FETCH_PROTO="http"
+
+SSEEEE AALLSSOO
+     pkg_info(1), audit-packages.conf(5), mk.conf(5), packages(7),
+     _D_o_c_u_m_e_n_t_a_t_i_o_n _o_n _t_h_e _N_e_t_B_S_D _P_a_c_k_a_g_e _S_y_s_t_e_m
+
+HHIISSTTOORRYY
+     The aauuddiitt--ppaacckkaaggeess and ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt commands were origi-
+     nally implemented and added to NetBSD's pkgsrc by Alistair Crooks on
+     September 19, 2000.  During April 2007 aauuddiitt--ppaacckkaaggeess was re-written by
+     Adrian Portelli and support was added for compressed files and checking
+     signatures on downloaded files.  The original idea came from Roland
+     Dowdeswell and Bill Sommerfeld.
+
+NetBSD 3.1                       July 07, 2007                      NetBSD 3.1
diff --git a/pkgtools/pkg_install/files/audit-packages/audit-packages.conf.5.in b/pkgtools/pkg_install/files/audit-packages/audit-packages.conf.5.in
new file mode 100644
index 00000000000..e3e405b6802
--- /dev/null
+++ b/pkgtools/pkg_install/files/audit-packages/audit-packages.conf.5.in
@@ -0,0 +1,123 @@
+.\" $NetBSD: audit-packages.conf.5.in,v 1.1 2007/07/14 20:17:09 adrianp Exp $
+.\"
+.\" Copyright (c) 2007 Adrian Portelli.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"      This product includes software developed by Adrian Portelli
+.\"      for the NetBSD project.
+.\" 4. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS
+.\" OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
+.\" GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+.\" WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+.\" NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+.\" SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd July 07, 2007
+.Os
+.Dt audit-packages.conf 5
+.Sh NAME
+.Nm audit-packages.conf
+.Nd audit-packages and download-vulnerability-list configuration file.
+.Sh DESCRIPTION
+The
+.Nm
+file contains the configuration information for
+.Xr download-vulnerability-list 8
+and
+.Xr audit-packages 8 .
+.Pp
+These variables can be defined in the
+.Xr audit-packages.conf 8
+file.
+.Pp
+.Bl -tag -width COMPRESS_TYPE
+.It Ev GPG
+The full path to the location of the binary used to verify the signature
+on the downloaded 
+.Pa pkg-vulnerabilities 
+file.  Currently only GnuPG is supported.  
+.Pp
+The default is "@prefix@/bin/gpg".
+.It Ev PKGVULNDIR
+Specifies the directory containing the
+.Pa pkg-vulnerabilities
+file.  
+.Pp
+The default is "@pkgdbdir@".
+.It Ev COMPRESS_TYPE
+Specifies which type of compressed
+.Pa pkg-vulnerabilities 
+file to download.  You can also specify COMPRESS_TYPE="" to use
+and uncompressed version of the file.  If you change this from the 
+default you must specify a COMPRESS_TOOL.  The 
+currently accepted options are gzip and bzip2.
+.It Ev COMPRESS_TOOL
+The full path to the location of the binary used to 
+decompress the downloaded 
+.Pa pkg-vulnerabilities 
+file.  
+.Pp
+The default is "@gzcat@".
+.It Ev FETCH_CMD
+Specifies the client used to download the
+.Pa pkg-vulnerabilities 
+file.  Currently known tools include curl, ftp, wget and fetch.
+.Pp
+The default is @ftp@. 
+.It Ev FETCH_ARGS
+Specifies optional arguments for the client used to download the
+.Pa pkg-vulnerabilities 
+file.
+.It Ev FETCH_PROTO
+Specifies the protocol to use when fetching the
+.Pa pkg-vulnerabilities
+file.
+Currently supports only http and ftp.
+.Pp
+The default is "ftp".
+.It Ev IGNORE_URLS
+A list of vulnerability URLs to be ignored.
+This allows for ignoring certain URLs that are attached to a
+vulnerability.
+.El
+.Sh FILES
+@sysconfdir@/audit-packages.conf
+.Sh SEE ALSO
+.Xr pkg_info 1 ,
+.Xr mk.conf 5 ,
+.Xr packages 7 ,
+.Xr audit-packages 8 and
+.%T "Documentation on the NetBSD Package System"
+.Sh HISTORY
+The
+.Nm
+and
+.Nm download-vulnerability-list
+commands were originally implemented and added to
+.Nx Ap s
+pkgsrc by
+.An Alistair Crooks
+on September 19, 2000.  During April 2007 
+.Nm 
+was re-written by Adrian Portelli
+and support was added for compressed files and checking signatures on downloaded
+files.
+The original idea came from Roland Dowdeswell and Bill Sommerfeld.
diff --git a/pkgtools/pkg_install/files/audit-packages/audit-packages.conf.cat5.in b/pkgtools/pkg_install/files/audit-packages/audit-packages.conf.cat5.in
new file mode 100644
index 00000000000..767176797e8
--- /dev/null
+++ b/pkgtools/pkg_install/files/audit-packages/audit-packages.conf.cat5.in
@@ -0,0 +1,70 @@
+audit-packages.conf(5)    NetBSD File Formats Manual    audit-packages.conf(5)
+
+NNAAMMEE
+     aauuddiitt--ppaacckkaaggeess..ccoonnff -- audit-packages and download-vulnerability-list
+     configuration file.
+
+DDEESSCCRRIIPPTTIIOONN
+     The aauuddiitt--ppaacckkaaggeess..ccoonnff file contains the configuration information for
+     download-vulnerability-list(8) and audit-packages(8).
+
+     These variables can be defined in the audit-packages.conf(8) file.
+
+     GPG            The full path to the location of the binary used to verify
+                    the signature on the downloaded _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file.
+                    Currently only GnuPG is supported.
+
+                    The default is "@prefix@/bin/gpg".
+
+     PKGVULNDIR     Specifies the directory containing the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s
+                    file.
+
+                    The default is "@pkgdbdir@".
+
+     COMPRESS_TYPE  Specifies which type of compressed _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s
+                    file to download.  You can also specify COMPRESS_TYPE=""
+                    to use and uncompressed version of the file.  If you
+                    change this from the default you must specify a COM-
+                    PRESS_TOOL.  The currently accepted options are gzip and
+                    bzip2.
+
+     COMPRESS_TOOL  The full path to the location of the binary used to decom-
+                    press the downloaded _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file.
+
+                    The default is "@gzcat@".
+
+     FETCH_CMD      Specifies the client used to download the
+                    _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file.  Currently known tools include
+                    curl, ftp, wget and fetch.
+
+                    The default is @ftp@.
+
+     FETCH_ARGS     Specifies optional arguments for the client used to down-
+                    load the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file.
+
+     FETCH_PROTO    Specifies the protocol to use when fetching the
+                    _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file.  Currently supports only http
+                    and ftp.
+
+                    The default is "ftp".
+
+     IGNORE_URLS    A list of vulnerability URLs to be ignored.  This allows
+                    for ignoring certain URLs that are attached to a vulnera-
+                    bility.
+
+FFIILLEESS
+     @sysconfdir@/audit-packages.conf
+
+SSEEEE AALLSSOO
+     pkg_info(1), mk.conf(5), packages(7), audit-packages(8) and _D_o_c_u_m_e_n_t_a_t_i_o_n
+     _o_n _t_h_e _N_e_t_B_S_D _P_a_c_k_a_g_e _S_y_s_t_e_m
+
+HHIISSTTOORRYY
+     The aauuddiitt--ppaacckkaaggeess..ccoonnff and ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt commands were
+     originally implemented and added to NetBSD's pkgsrc by Alistair Crooks on
+     September 19, 2000.  During April 2007 aauuddiitt--ppaacckkaaggeess..ccoonnff was re-written
+     by Adrian Portelli and support was added for compressed files and check-
+     ing signatures on downloaded files.  The original idea came from Roland
+     Dowdeswell and Bill Sommerfeld.
+
+NetBSD 3.1                       July 07, 2007                      NetBSD 3.1
diff --git a/pkgtools/pkg_install/files/audit-packages/audit-packages.conf.in b/pkgtools/pkg_install/files/audit-packages/audit-packages.conf.in
new file mode 100644
index 00000000000..8eb4a159b40
--- /dev/null
+++ b/pkgtools/pkg_install/files/audit-packages/audit-packages.conf.in
@@ -0,0 +1,78 @@
+# $NetBSD: audit-packages.conf.in,v 1.1 2007/07/14 20:17:09 adrianp Exp $
+
+#
+# sample configuration file for audit-packages(8) and 
+# download-vulnerability-list(8)
+#
+
+# GPG
+#
+# Specifies the full path to the gpg tool that will be used for verifying
+# the signature on the downloaded pkg-vulnerabilities file.
+#
+# Used by:	audit-packages download-vulnerability-list
+# Supported: 	/path/to/gpg
+# Default: 	GPG="@prefix@/bin/gpg"
+
+# PKGVULNDIR
+#
+# Specifies the directory the pkg-vulnerabilities file is located in.
+#
+# Used by:	audit-packages download-vulnerability-list
+# Supported:	/path/to/pkg-vulnerabilities/
+# Default: 	PKGVULNDIR="@pkgdbdir@"
+
+# COMPRESS_TYPE
+#
+# Specifies which type of compressed pkg-vulnerabilities file to
+# download.  You can also specify COMPRESS_TYPE="" to use
+# and uncompressed version of the file.
+#
+# If you change this from the default you must specify a COMPRESS_TOOL.
+#
+# Used by:	download-vulnerability-list
+# Supported: 	gzip bzip2 (none)
+# Default: 	COMPRESS_TYPE="gzip"
+
+# COMPRESS_TOOL
+#
+# Specifies which tool will be used when dealing with the compressed
+# pkg-vulnerabilities file.
+#
+# Used by:	download-vulnerability-list
+# Supported: 	Any local binary that can decompress the
+#		pkg-vulnerabilities file to stdout
+# Default: 	COMPRESS_TOOL="@gzcat@"
+
+# FETCH_CMD
+#
+# Specifies the tool that will be used to fetch the pkg-vulnerabilities
+# file.
+#
+# Used by:	download-vulnerability-list
+# Supported: 	/path/to/curl /path/to/ftp /path/to/wget /path/to/fetch 
+# Default: 	FETCH_CMD=@ftp@
+
+# FETCH_ARGS
+#
+# Specifies optional arguments for the download-vulnerability-list client.
+#
+# Used by:	download-vulnerability-list
+# Supported:	Any valid arguments for FETCH_CMD
+# Default: 	FETCH_ARGS=
+
+# FETCH_PROTO
+#
+# Specifies the protocol to use when fetching the pkg-vulnerabilities file.
+#
+# Used by:	download-vulnerability-list
+# Supported: 	ftp http
+# Default: 	FETCH_PROTO="ftp"
+
+# IGNORE_URLS
+#
+# A list of vulnerability URLs to be ignored.
+#
+# Used by:	audit-packages
+# Supported:	Valid URL(s) from pkg-vulnerabilities
+# Default: 	IGNORE_URLS=
diff --git a/pkgtools/pkg_install/files/audit-packages/download-vulnerability-list.1.in b/pkgtools/pkg_install/files/audit-packages/download-vulnerability-list.1.in
new file mode 100644
index 00000000000..22ffeb00dbf
--- /dev/null
+++ b/pkgtools/pkg_install/files/audit-packages/download-vulnerability-list.1.in
@@ -0,0 +1,336 @@
+.\" $NetBSD: download-vulnerability-list.1.in,v 1.1 2007/07/14 20:17:10 adrianp Exp $
+.\"
+.\" Copyright (c) 2003 Jeremy C. Reed.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"      This product includes software developed by Jeremy C. Reed
+.\"      for the NetBSD project.
+.\" 4. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS
+.\" OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
+.\" GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+.\" WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+.\" NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+.\" SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd July 07, 2007
+.Os
+.Dt AUDIT-PACKAGES 1
+.Sh NAME
+.Nm audit-packages ,
+.Nm download-vulnerability-list
+.Nd show vulnerabilities in installed packages
+.Sh SYNOPSIS
+.Nm
+.Op Fl desVv
+.Op Fl c Ar config_file
+.Op Fl g Ar file
+.Op Fl h Ar file
+.Op Fl K Ar pkg_dbdir
+.Op Fl n Ar package
+.Op Fl p Ar package
+.Op Fl Q Ar varname
+.Op Fl t Ar type
+.Nm download-vulnerability-list
+.Op Fl hs
+.Op Fl c Ar config_file
+.Sh DESCRIPTION
+The
+.Nm
+program compares the installed packages with the
+.Pa pkg-vulnerabilities
+file and reports any known security issues to standard output.
+This output contains the name and version of the package, the
+type of vulnerability, and an URL for further information for each
+vulnerable package.
+.Pp
+The following flags are supported:
+.Bl -tag -width Ar
+.It Fl d
+Attempt to download the vulnerabilities
+file using the
+.Pa download-vulnerability-list
+script before scanning the installed packages for vulnerabilities.
+.It Fl e
+Check for end-of-life (eol) packages.
+.It Fl s
+Verify the signature of the current
+.Pa pkg-vulnerabilities
+file.  The key used to sign the file is available from:
+.Pa ftp.netbsd.org/pub/NetBSD/security/PGP/pkgsrc-security@NetBSD.org.asc
+.Pp
+In order for this to function correctly the above key must be
+added to the gpg keyring of the user who runs 
+.Pa audit-packages -s 
+and/or
+.Pa download-vulnerability-list -s .
+In addition to this the gpg binary must be installed on your system.
+The path to the gpg binary can be set in
+.Xr audit-packages.conf 5 .
+.Pp
+The requirement for GnuPG may go away in the future when a suitable
+replacement is implemented.
+.It Fl V
+Display the version number and exit.
+.It Fl v
+Be more verbose. Specify multiple -v flags to increase verbosity.
+Currently a maximum level of three is supported.
+.It Fl c Ar conf_file
+Specify a custom
+.Ar conf_file
+configuration file to use.
+.It Fl g Ar file
+Compute the SHA512 hash on 
+.Ar file .
+.It Fl h Ar file
+Check the SHA512 hash of a
+.Ar file
+against the internally stored value.
+.It Fl K Ar pkg_dbdir
+Use package database directory
+.Ar pkg_dbdir .
+.It Fl n Ar package
+Check only the package
+.Ar package
+for vulnerabilities.
+.It Fl p Ar package
+Check only the installed package
+.Ar package
+for vulnerabilities.
+.It Fl Q Ar varname
+Display the current value of
+.Ar varname
+and exit.  Currently supported
+.Ar varname
+are GPG, PKGVULNDIR and IGNORE_URLS.
+.It Fl t Ar type
+Only check for the specified
+.Ar type
+of vulnerability.
+.El
+.Pp
+The
+.Nm download-vulnerability-list
+program downloads the
+.Pa pkg-vulnerabilities
+file from
+.Pa ftp.NetBSD.org
+using
+.Xr ftp 1
+by default.  This vulnerabilities file documents all known security issues in
+pkgsrc packages and is kept up-to-date by the
+.Nx
+pkgsrc-security team.
+.Pp
+The following flags are supported:
+.Bl -tag -width Ar
+.It Fl h
+Display program usage.
+.It Fl s
+Verify the signature of the current
+.Pa pkg-vulnerabilities
+file.  In order for this to function correctly you will need to add the
+pkgsrc Security Team key to your gpg keyring and trust it.  The key is
+available from:
+.Pa ftp.netbsd.org/pub/NetBSD/security/PGP/pkgsrc-security@NetBSD.org.asc
+In addition to this the gpg binary must be installed on your system.
+The path to the gpg binary can be set in
+.Xr audit-packages.conf 5 .
+.It Fl c Ar conf_file
+Specify a custom
+.Ar conf_file
+configuration file to use.
+.El
+.Pp
+By default
+.Nm download-vulnerability-list
+will download a compressed version of
+.Pa pkg-vulnerabilities
+from ftp.netbsd.org.  The default file downloaded is compressed using
+.Xr gzip 1 .
+The compression tool used can set in
+.Xr audit-packages.conf 5 .
+Currently only
+.Xr gzcat 1
+and
+.Xr bzcat 1
+are supported.
+.Pp
+Each line lists the package and vulnerable versions, the type of exploit,
+and an Internet address for further information:
+.Bl -item
+.It
+.Aq package pattern
+.Aq type
+.Aq url
+.El
+.Pp
+The type of exploit can be any text, although
+some common types of exploits listed are:
+.Bl -bullet -compact -offset indent
+.It
+cross-site-html
+.It
+cross-site-scripting
+.It
+denial-of-service
+.It
+eol
+.It
+file-permissions
+.It
+local-access
+.It
+local-code-execution
+.It
+local-file-read
+.It
+local-file-removal
+.It
+local-file-write
+.It
+local-root-file-view
+.It
+local-root-shell
+.It
+local-symlink-race
+.It
+local-user-file-view
+.It
+local-user-shell
+.It
+privacy-leak
+.It
+remote-code-execution
+.It
+remote-command-inject
+.It
+remote-file-creation
+.It
+remote-file-read
+.It
+remote-file-view
+.It
+remote-file-write
+.It
+remote-key-theft
+.It
+remote-root-access
+.It
+remote-root-shell
+.It
+remote-script-inject
+.It
+remote-server-admin
+.It
+remote-use-of-secret
+.It
+remote-user-access
+.It
+remote-user-file-view
+.It
+remote-user-shell
+.It
+unknown
+.It
+weak-authentication
+.It
+weak-encryption
+.It
+weak-ssl-authentication
+.El
+.Pp
+The type
+.Pa eol
+implies that the package is no longer maintained by the software vendor but
+is provided by the pkgsrc team for your convenience only.  It may contain any
+number of the above mentioned vulnerabilities.  Any packages of type eol
+are not reported by default. Run
+.Nm Fl e
+to also report on eol packages.
+.Pp
+By default, the vulnerabilities file is stored in the
+PKG_DBDIR
+directory.  On a standard installation this will be set to @pkgdbdir@.
+If you have installed pkgsrc on a supported platform this will be what
+ever you specifed when bootstrapping pkgsrc i.e. --pkgdbdir <pkgdbdir>.
+The path to the
+.Pa pkg-vulnerabilities
+file can be set in
+.Xr audit-packages.conf 5 .
+.Sh EXIT STATUS
+.Ex -std audit-packages
+.Sh FILES
+@pkgdbdir@/pkg-vulnerabilities
+.Pp
+@sysconfdir@/audit-packages.conf
+.Sh EXAMPLES
+The
+.Nm download-vulnerability-list
+command can be run via
+.Xr cron 8
+to update the
+.Pa pkg-vulnerabilities
+file daily.
+And
+.Nm
+can be run via
+.Xr cron 8
+(or with
+.Nx Ap s
+.Pa /etc/security.local
+daily security script).
+.Pp
+The
+.Nm download-vulnerability-list
+command can be forced to use IPv4 with the following setting in
+@sysconfdir@/audit-packages.conf:
+.Pp
+FETCH_ARGS="-4"
+.Pp
+The
+.Nm download-vulnerability-list
+command can be forced to use http to download the
+.Pa pkg-vulnerabilities
+file with the following setting in
+@sysconfdir@/audit-packages.conf:
+.Pp
+FETCH_PROTO="http"
+.Sh SEE ALSO
+.Xr pkg_info 1 ,
+.Xr audit-packages.conf 5 ,
+.Xr mk.conf 5 ,
+.Xr packages 7 ,
+.%T "Documentation on the NetBSD Package System"
+.Sh HISTORY
+The
+.Nm
+and
+.Nm download-vulnerability-list
+commands were originally implemented and added to
+.Nx Ap s
+pkgsrc by
+.An Alistair Crooks
+on September 19, 2000.  During April 2007
+.Nm
+was re-written by Adrian Portelli
+and support was added for compressed files and checking signatures on downloaded
+files.
+The original idea came from Roland Dowdeswell and Bill Sommerfeld.
diff --git a/pkgtools/pkg_install/files/audit-packages/download-vulnerability-list.cat1.in b/pkgtools/pkg_install/files/audit-packages/download-vulnerability-list.cat1.in
new file mode 100644
index 00000000000..2a84417e27c
--- /dev/null
+++ b/pkgtools/pkg_install/files/audit-packages/download-vulnerability-list.cat1.in
@@ -0,0 +1,183 @@
+AUDIT-PACKAGES(1)       NetBSD General Commands Manual       AUDIT-PACKAGES(1)
+
+NNAAMMEE
+     aauuddiitt--ppaacckkaaggeess, ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt -- show vulnerabilities in
+     installed packages
+
+SSYYNNOOPPSSIISS
+     aauuddiitt--ppaacckkaaggeess [--ddeessVVvv] [--cc _c_o_n_f_i_g___f_i_l_e] [--gg _f_i_l_e] [--hh _f_i_l_e]
+                    [--KK _p_k_g___d_b_d_i_r] [--nn _p_a_c_k_a_g_e] [--pp _p_a_c_k_a_g_e] [--QQ _v_a_r_n_a_m_e]
+                    [--tt _t_y_p_e]
+     ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt [--hhss] [--cc _c_o_n_f_i_g___f_i_l_e]
+
+DDEESSCCRRIIPPTTIIOONN
+     The aauuddiitt--ppaacckkaaggeess program compares the installed packages with the
+     _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file and reports any known security issues to stan-
+     dard output.  This output contains the name and version of the package,
+     the type of vulnerability, and an URL for further information for each
+     vulnerable package.
+
+     The following flags are supported:
+
+     --dd            Attempt to download the vulnerabilities file using the
+                   _d_o_w_n_l_o_a_d_-_v_u_l_n_e_r_a_b_i_l_i_t_y_-_l_i_s_t script before scanning the
+                   installed packages for vulnerabilities.
+
+     --ee            Check for end-of-life (eol) packages.
+
+     --ss            Verify the signature of the current _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s
+                   file.  The key used to sign the file is available from:
+                   _f_t_p_._n_e_t_b_s_d_._o_r_g_/_p_u_b_/_N_e_t_B_S_D_/_s_e_c_u_r_i_t_y_/_P_G_P_/_p_k_g_s_r_c_-_s_e_c_u_r_i_t_y_@_N_e_t_B_S_D_._o_r_g_._a_s_c
+
+                   In order for this to function correctly the above key must
+                   be added to the gpg keyring of the user who runs
+                   _a_u_d_i_t_-_p_a_c_k_a_g_e_s _-_s and/or _d_o_w_n_l_o_a_d_-_v_u_l_n_e_r_a_b_i_l_i_t_y_-_l_i_s_t _-_s.
+                   In addition to this the gpg binary must be installed on
+                   your system.  The path to the gpg binary can be set in
+                   audit-packages.conf(5).
+
+                   The requirement for GnuPG may go away in the future when a
+                   suitable replacement is implemented.
+
+     --VV            Display the version number and exit.
+
+     --vv            Be more verbose. Specify multiple -v flags to increase ver-
+                   bosity.  Currently a maximum level of three is supported.
+
+     --cc _c_o_n_f___f_i_l_e  Specify a custom _c_o_n_f___f_i_l_e configuration file to use.
+
+     --gg _f_i_l_e       Compute the SHA512 hash on _f_i_l_e.
+
+     --hh _f_i_l_e       Check the SHA512 hash of a _f_i_l_e against the internally
+                   stored value.
+
+     --KK _p_k_g___d_b_d_i_r  Use package database directory _p_k_g___d_b_d_i_r.
+
+     --nn _p_a_c_k_a_g_e    Check only the package _p_a_c_k_a_g_e for vulnerabilities.
+
+     --pp _p_a_c_k_a_g_e    Check only the installed package _p_a_c_k_a_g_e for vulnerabili-
+                   ties.
+
+     --QQ _v_a_r_n_a_m_e    Display the current value of _v_a_r_n_a_m_e and exit.  Currently
+                   supported _v_a_r_n_a_m_e are GPG, PKGVULNDIR and IGNORE_URLS.
+
+     --tt _t_y_p_e       Only check for the specified _t_y_p_e of vulnerability.
+
+     The ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt program downloads the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s
+     file from _f_t_p_._N_e_t_B_S_D_._o_r_g using ftp(1) by default.  This vulnerabilities
+     file documents all known security issues in pkgsrc packages and is kept
+     up-to-date by the NetBSD pkgsrc-security team.
+
+     The following flags are supported:
+
+     --hh            Display program usage.
+
+     --ss            Verify the signature of the current _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s
+                   file.  In order for this to function correctly you will
+                   need to add the pkgsrc Security Team key to your gpg
+                   keyring and trust it.  The key is available from:
+                   _f_t_p_._n_e_t_b_s_d_._o_r_g_/_p_u_b_/_N_e_t_B_S_D_/_s_e_c_u_r_i_t_y_/_P_G_P_/_p_k_g_s_r_c_-_s_e_c_u_r_i_t_y_@_N_e_t_B_S_D_._o_r_g_._a_s_c
+                   In addition to this the gpg binary must be installed on
+                   your system.  The path to the gpg binary can be set in
+                   audit-packages.conf(5).
+
+     --cc _c_o_n_f___f_i_l_e  Specify a custom _c_o_n_f___f_i_l_e configuration file to use.
+
+     By default ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt will download a compressed version
+     of _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s from ftp.netbsd.org.  The default file downloaded
+     is compressed using gzip(1).  The compression tool used can set in
+     audit-packages.conf(5).  Currently only gzcat(1) and bzcat(1) are sup-
+     ported.
+
+     Each line lists the package and vulnerable versions, the type of exploit,
+     and an Internet address for further information:
+
+     <package pattern> <type> <url>
+
+     The type of exploit can be any text, although some common types of
+     exploits listed are:
+           ++oo   cross-site-html
+           ++oo   cross-site-scripting
+           ++oo   denial-of-service
+           ++oo   eol
+           ++oo   file-permissions
+           ++oo   local-access
+           ++oo   local-code-execution
+           ++oo   local-file-read
+           ++oo   local-file-removal
+           ++oo   local-file-write
+           ++oo   local-root-file-view
+           ++oo   local-root-shell
+           ++oo   local-symlink-race
+           ++oo   local-user-file-view
+           ++oo   local-user-shell
+           ++oo   privacy-leak
+           ++oo   remote-code-execution
+           ++oo   remote-command-inject
+           ++oo   remote-file-creation
+           ++oo   remote-file-read
+           ++oo   remote-file-view
+           ++oo   remote-file-write
+           ++oo   remote-key-theft
+           ++oo   remote-root-access
+           ++oo   remote-root-shell
+           ++oo   remote-script-inject
+           ++oo   remote-server-admin
+           ++oo   remote-use-of-secret
+           ++oo   remote-user-access
+           ++oo   remote-user-file-view
+           ++oo   remote-user-shell
+           ++oo   unknown
+           ++oo   weak-authentication
+           ++oo   weak-encryption
+           ++oo   weak-ssl-authentication
+
+     The type _e_o_l implies that the package is no longer maintained by the
+     software vendor but is provided by the pkgsrc team for your convenience
+     only.  It may contain any number of the above mentioned vulnerabilities.
+     Any packages of type eol are not reported by default. Run aauuddiitt--ppaacckkaaggeess
+     --ee to also report on eol packages.
+
+     By default, the vulnerabilities file is stored in the PKG_DBDIR direc-
+     tory.  On a standard installation this will be set to @pkgdbdir@.  If you
+     have installed pkgsrc on a supported platform this will be what ever you
+     specifed when bootstrapping pkgsrc i.e. --pkgdbdir <pkgdbdir>.  The path
+     to the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file can be set in audit-packages.conf(5).
+
+EEXXIITT SSTTAATTUUSS
+     The aauuddiitt--ppaacckkaaggeess utility exits 0 on success, and >0 if an error occurs.
+
+FFIILLEESS
+     @pkgdbdir@/pkg-vulnerabilities
+
+     @sysconfdir@/audit-packages.conf
+
+EEXXAAMMPPLLEESS
+     The ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt command can be run via cron(8) to update
+     the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file daily.  And aauuddiitt--ppaacckkaaggeess can be run via
+     cron(8) (or with NetBSD's _/_e_t_c_/_s_e_c_u_r_i_t_y_._l_o_c_a_l daily security script).
+
+     The ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt command can be forced to use IPv4 with
+     the following setting in @sysconfdir@/audit-packages.conf:
+
+     FETCH_ARGS="-4"
+
+     The ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt command can be forced to use http to
+     download the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file with the following setting in
+     @sysconfdir@/audit-packages.conf:
+
+     FETCH_PROTO="http"
+
+SSEEEE AALLSSOO
+     pkg_info(1), audit-packages.conf(5), mk.conf(5), packages(7),
+     _D_o_c_u_m_e_n_t_a_t_i_o_n _o_n _t_h_e _N_e_t_B_S_D _P_a_c_k_a_g_e _S_y_s_t_e_m
+
+HHIISSTTOORRYY
+     The aauuddiitt--ppaacckkaaggeess and ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt commands were origi-
+     nally implemented and added to NetBSD's pkgsrc by Alistair Crooks on
+     September 19, 2000.  During April 2007 aauuddiitt--ppaacckkaaggeess was re-written by
+     Adrian Portelli and support was added for compressed files and checking
+     signatures on downloaded files.  The original idea came from Roland
+     Dowdeswell and Bill Sommerfeld.
+
+NetBSD 3.1                       July 07, 2007                      NetBSD 3.1
diff --git a/pkgtools/pkg_install/files/audit-packages/download-vulnerability-list.sh.in b/pkgtools/pkg_install/files/audit-packages/download-vulnerability-list.sh.in
new file mode 100644
index 00000000000..949af37c337
--- /dev/null
+++ b/pkgtools/pkg_install/files/audit-packages/download-vulnerability-list.sh.in
@@ -0,0 +1,205 @@
+#!/bin/sh
+
+# $NetBSD: download-vulnerability-list.sh.in,v 1.1 2007/07/14 20:17:10 adrianp Exp $
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+# 3. All advertising materials mentioning features or use of this software
+#    must display the following acknowledgement:
+#	This product includes software developed by Alistair Crooks
+#	for the NetBSD project.
+# 4. The name of the author may not be used to endorse or promote
+#    products derived from this software without specific prior written
+#    permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS
+# OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
+# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+
+: ${PKGVULNDIR="@pkgdbdir@"}
+: ${COMPRESS_TYPE="gzip"}
+: ${FETCH_CMD=@ftp@}
+: ${FETCH_ARGS=""}
+: ${FETCH_PROTO=ftp}
+
+AP=@prefix@/sbin/audit-packages
+NEW_VUL_LIST=pkg-vulnerabilities.$$
+EXIST_VUL_LIST=pkg-vulnerabilities
+FETCH_PATH="ftp.NetBSD.org/pub/NetBSD/packages/vulns"
+_CONF_FILE="@sysconfdir@/audit-packages.conf"
+COMPRESS_TOOL=""
+
+usage()
+{
+	argv0="${1##*/}"
+	cat <<EOF
+$2
+Usage: $argv0 [-s] [-c config-file]
+	-s : Verify the signature on the downloaded file.
+	-c : Specify a custom configuration file to use.
+EOF
+	exit 1
+}
+
+verify=no
+custom_conf=no
+conf_found=no
+neednew=no
+
+while [ $# -gt 0 ]; do
+	case "$1" in
+	-s)
+		verify=yes
+		;;
+	-c)
+		custom_conf=yes
+		local_conf="$2"
+		;;
+	*)
+		usage "$0" "Unknown option $1"
+	esac
+	shift
+done
+
+#  generic conf file handler
+if [ -r ${_CONF_FILE} ]; then
+	conf_found=yes
+fi
+
+# see if the user wants us to use a custom config file
+if [ "x${custom_conf}" = "xyes" ]; then
+	if [ -r ${local_conf} ]; then
+		conf_found=yes
+		_CONF_FILE=${local_conf}
+	fi
+fi
+
+# only do the following if we have found a config file to use
+if [ "x${conf_found}" = "xyes" ]; then
+	if [ -r ${_CONF_FILE} ]; then
+		echo "Reading settings from ${_CONF_FILE}"
+		. ${_CONF_FILE}
+	fi
+fi
+
+# setup the compression type
+case "${COMPRESS_TYPE}" in
+bzip2)		COMPRESS_EXTN=.bz2
+		compressed=yes
+		;;
+gzip)		COMPRESS_EXTN=.gz
+		compressed=yes
+		;;
+none)		COMPRESS_EXTN=""
+		compressed=no
+		;;
+*)		echo "***ERROR*** Unknown COMPRESS_TYPE specified - Only bzip2 and gzip are currently supported."
+		exit 1
+		;;
+esac
+
+# setup the compression tool and arguments
+if [ "x${compressed}" = "xyes" ]; then
+	if [ "x${COMPRESS_TYPE}" = "xgzip" -a "x${COMPRESS_TOOL}" = "x" ]; then
+		COMPRESS_TOOL="@gzcat@"
+	fi
+
+	if [ "x${COMPRESS_TYPE}" != "xgzip" -a "x${COMPRESS_TOOL}" = "x" ]; then
+		echo "***ERROR*** A non-default COMPRESS_TYPE has been specified without a COMPRESS_TOOL"
+		exit 1
+	fi
+fi
+
+VUL_SOURCE="${FETCH_PROTO}://${FETCH_PATH}/pkg-vulnerabilities${COMPRESS_EXTN}"
+
+if [ ! -d ${PKGVULNDIR}/. ]; then
+	echo "Creating ${PKGVULNDIR}"
+
+	/bin/mkdir ${PKGVULNDIR}
+	if [ ! -d  ${PKGVULNDIR} ]; then
+		echo "***ERROR*** Can't create: ${PKGVULNDIR}"
+		exit 1
+	fi
+fi
+
+if [ ! "x${FETCH_PROTO}" = "xhttp" -a ! "x${FETCH_PROTO}" = "xftp" ]; then
+	echo "***ERROR*** Unknown FETCH_PROTO specified - Only http and ftp are currently supported."
+	exit 1
+fi
+
+cd ${PKGVULNDIR}
+utility=`basename "${FETCH_CMD}"`
+case "${utility}" in
+curl|fetch|ftp)	${FETCH_CMD} ${FETCH_ARGS} \
+			-o ${NEW_VUL_LIST}${COMPRESS_EXTN} ${VUL_SOURCE} ;;
+wget)		${FETCH_CMD} ${FETCH_ARGS} \
+			-O ${NEW_VUL_LIST}${COMPRESS_EXTN} ${VUL_SOURCE} ;;
+*)		echo "Unknown fetch command - please use send-pr to send in support for your fetch command" 1>&2
+		exit 1
+		;;
+esac
+
+# see if we got a file
+if [ ! -f "${NEW_VUL_LIST}${COMPRESS_EXTN}" ]; then
+	echo "***ERROR*** Download of vulnerabilities file failed" 1>&2
+	exit 1
+fi
+
+# decompress the downloaded file and delete the download
+if [ "x${compressed}" = "xyes" ]; then
+	${COMPRESS_TOOL} ${NEW_VUL_LIST}${COMPRESS_EXTN} > ${NEW_VUL_LIST}
+	/bin/rm -f ${NEW_VUL_LIST}${COMPRESS_EXTN}
+fi
+
+# compare the old and new files to see if there's a difference
+if [ -f ${EXIST_VUL_LIST} ]; then
+	exist_hash=`${AP} -g ${EXIST_VUL_LIST}`
+	new_hash=`${AP} -g ${NEW_VUL_LIST}`
+
+	if [ "x${exist_hash}" != "x${new_hash}" ]; then
+		neednew=yes
+	else
+		echo "No change from existing package vulnerabilities file"
+		/bin/rm -f ${NEW_VUL_LIST}
+		exit 0
+	fi
+else
+	neednew=yes
+fi
+
+# check the hash and/or sig on the new file
+if [ "x${verify}" = "xyes" ]; then
+	${AP} -s -h ${NEW_VUL_LIST}
+else
+	${AP} -h ${NEW_VUL_LIST}
+fi
+
+ec=$?;
+
+if [ $ec -ne 0 ]; then
+	echo "***ERROR*** Failed to verify the newly downloaded vulnerabilities file" 1>&2
+	/bin/rm -f ${NEW_VUL_LIST}
+	exit 1
+fi
+
+# move the new file into position
+echo "Package vulnerabilities file has been updated"
+/bin/chmod a+r ${NEW_VUL_LIST}
+/bin/mv -f ${NEW_VUL_LIST} ${EXIST_VUL_LIST}
+
+exit 0
diff --git a/pkgtools/pkg_install/files/configure b/pkgtools/pkg_install/files/configure
index a8236b21331..2bef0e030b7 100755
--- a/pkgtools/pkg_install/files/configure
+++ b/pkgtools/pkg_install/files/configure
@@ -269,7 +269,7 @@ SHELL=${CONFIG_SHELL-/bin/sh}
 # Identity of this package.
 PACKAGE_NAME='pkg_install'
 PACKAGE_TARNAME='pkg_install'
-PACKAGE_VERSION='20070414'
+PACKAGE_VERSION='20070416'
 PACKAGE_STRING='pkg_install 20070416'
 PACKAGE_BUGREPORT='grant@NetBSD.org'
 
@@ -6004,7 +6004,7 @@ esac
 
 
 
-                                                                                                              ac_config_files="$ac_config_files Makefile add/Makefile admin/Makefile bpm/bpm.sh create/Makefile delete/Makefile info/Makefile lib/Makefile view/Makefile view/linkfarm.sh view/pkg_view.sh"
+                                                                                                                                                                                                        ac_config_files="$ac_config_files Makefile add/Makefile admin/Makefile audit-packages/Makefile audit-packages/audit-packages.1 audit-packages/audit-packages.cat1 audit-packages/audit-packages.conf audit-packages/audit-packages.conf.5 audit-packages/audit-packages.conf.cat5 audit-packages/download-vulnerability-list.1 audit-packages/download-vulnerability-list.cat1 audit-packages/download-vulnerability-list.sh bpm/bpm.sh create/Makefile delete/Makefile info/Makefile lib/Makefile view/Makefile view/linkfarm.sh view/pkg_view.sh"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -6534,6 +6534,15 @@ do
   "Makefile" ) CONFIG_FILES="$CONFIG_FILES Makefile" ;;
   "add/Makefile" ) CONFIG_FILES="$CONFIG_FILES add/Makefile" ;;
   "admin/Makefile" ) CONFIG_FILES="$CONFIG_FILES admin/Makefile" ;;
+  "audit-packages/Makefile" ) CONFIG_FILES="$CONFIG_FILES audit-packages/Makefile" ;;
+  "audit-packages/audit-packages.1" ) CONFIG_FILES="$CONFIG_FILES audit-packages/audit-packages.1" ;;
+  "audit-packages/audit-packages.cat1" ) CONFIG_FILES="$CONFIG_FILES audit-packages/audit-packages.cat1" ;;
+  "audit-packages/audit-packages.conf" ) CONFIG_FILES="$CONFIG_FILES audit-packages/audit-packages.conf" ;;
+  "audit-packages/audit-packages.conf.5" ) CONFIG_FILES="$CONFIG_FILES audit-packages/audit-packages.conf.5" ;;
+  "audit-packages/audit-packages.conf.cat5" ) CONFIG_FILES="$CONFIG_FILES audit-packages/audit-packages.conf.cat5" ;;
+  "audit-packages/download-vulnerability-list.1" ) CONFIG_FILES="$CONFIG_FILES audit-packages/download-vulnerability-list.1" ;;
+  "audit-packages/download-vulnerability-list.cat1" ) CONFIG_FILES="$CONFIG_FILES audit-packages/download-vulnerability-list.cat1" ;;
+  "audit-packages/download-vulnerability-list.sh" ) CONFIG_FILES="$CONFIG_FILES audit-packages/download-vulnerability-list.sh" ;;
   "bpm/bpm.sh" ) CONFIG_FILES="$CONFIG_FILES bpm/bpm.sh" ;;
   "create/Makefile" ) CONFIG_FILES="$CONFIG_FILES create/Makefile" ;;
   "delete/Makefile" ) CONFIG_FILES="$CONFIG_FILES delete/Makefile" ;;
diff --git a/pkgtools/pkg_install/files/configure.ac b/pkgtools/pkg_install/files/configure.ac
index 85338224cd2..0de6c502928 100644
--- a/pkgtools/pkg_install/files/configure.ac
+++ b/pkgtools/pkg_install/files/configure.ac
@@ -142,7 +142,14 @@ AH_BOTTOM(
 #endif
 )
 
-AC_CONFIG_FILES([Makefile add/Makefile admin/Makefile bpm/bpm.sh \
+AC_CONFIG_FILES([Makefile add/Makefile admin/Makefile 
+	audit-packages/Makefile audit-packages/audit-packages.1 \
+	audit-packages/audit-packages.cat1 audit-packages/audit-packages.conf \
+	audit-packages/audit-packages.conf.5 \
+	audit-packages/audit-packages.conf.cat5 \
+	audit-packages/download-vulnerability-list.1 \
+	audit-packages/download-vulnerability-list.cat1 \
+	audit-packages/download-vulnerability-list.sh bpm/bpm.sh \
 	create/Makefile delete/Makefile info/Makefile lib/Makefile \
 	view/Makefile view/linkfarm.sh view/pkg_view.sh])
 AC_OUTPUT