Make the check-vulnerable target more self-sufficient, by moving some

of the logic from fetch/fetch.mk into flavor/pkg/check.mk, so that
check-vulnerable can be used as a source target.

Make check-vulnerable a source target for every phase of the build
workflow, which ensures that it is always run if the user starts a
new phase from the command line.

Fix the cookie-generation targets so that they don't append, only
overwrite to the cookie file.  This works around potential problems
due to recursive makes.

Move the cookie checks so that they surround the corresponding phase
target.  The presence of the cookie should now inform the make process
to avoid doing any processing of phases that occur before the phase
corresponding to the cookie.

16 files changed, 121 insertions, 100 deletions

diff --git a/mk/build/bsd.build.mk b/mk/build/bsd.build.mk
index 8b1e0aaf444..7e17ab1d40a 100644
--- a/mk/build/bsd.build.mk
+++ b/mk/build/bsd.build.mk
@@ -1,4 +1,4 @@
-# $NetBSD: bsd.build.mk,v 1.1 2006/07/05 06:09:15 jlam Exp $
+# $NetBSD: bsd.build.mk,v 1.2 2006/07/05 09:08:35 jlam Exp $
 #
 # This Makefile fragment is included by bsd.pkg.mk and provides all
 # variables and targets related to building sources for a package.
@@ -40,4 +40,4 @@ build: configure build-cookie
 .PHONY: build-cookie
 build-cookie:
 	${_PKG_SILENT}${_PKG_DEBUG}${MKDIR} ${_BUILD_COOKIE:H}
-	${_PKG_SILENT}${_PKG_DEBUG}${ECHO} ${PKGNAME} >> ${_BUILD_COOKIE}
+	${_PKG_SILENT}${_PKG_DEBUG}${ECHO} ${PKGNAME} > ${_BUILD_COOKIE}
diff --git a/mk/build/build.mk b/mk/build/build.mk
index db9ad7dfce8..aa559124a89 100644
--- a/mk/build/build.mk
+++ b/mk/build/build.mk
@@ -1,4 +1,4 @@
-# $NetBSD: build.mk,v 1.1 2006/07/05 06:09:15 jlam Exp $
+# $NetBSD: build.mk,v 1.2 2006/07/05 09:08:35 jlam Exp $
 #
 # BUILD_MAKE_FLAGS is the list of arguments that is passed to the make
 #	process.
@@ -14,6 +14,7 @@ BUILD_TARGET?=		all
 ######################################################################
 ### build is a public target to build the sources from the package.
 ###
+_BUILD_TARGETS+=	check-vulnerable
 _BUILD_TARGETS+=	configure
 _BUILD_TARGETS+=	acquire-build-lock
 _BUILD_TARGETS+=	${_BUILD_COOKIE}
@@ -22,20 +23,20 @@ _BUILD_TARGETS+=	pkginstall
 
 .PHONY: build
 .if !target(build)
+.  if !exists(${_BUILD_COOKIE})
 build: ${_BUILD_TARGETS}
+.  else
+build:
+	@${DO_NADA}
+.  endif
 .endif
 
 .PHONY: acquire-build-lock release-build-lock
 acquire-build-lock: acquire-lock
 release-build-lock: release-lock
 
-.if !exists(${_BUILD_COOKIE})
 ${_BUILD_COOKIE}:
 	${_PKG_SILENT}${_PKG_DEBUG}cd ${.CURDIR} && ${SETENV} ${BUILD_ENV} ${MAKE} ${MAKEFLAGS} real-build PKG_PHASE=build || ${PKG_ERROR_HANDLER.build}
-.else
-${_BUILD_COOKIE}:
-	@${DO_NADA}
-.endif
 
 PKG_ERROR_CLASSES+=	build
 PKG_ERROR_MSG.build=							\
diff --git a/mk/build/test.mk b/mk/build/test.mk
index 6e242cf5f97..561bc340c0a 100644
--- a/mk/build/test.mk
+++ b/mk/build/test.mk
@@ -1,4 +1,4 @@
-# $NetBSD: test.mk,v 1.1 2006/07/05 06:09:15 jlam Exp $
+# $NetBSD: test.mk,v 1.2 2006/07/05 09:08:35 jlam Exp $
 #
 # TEST_DIRS is the list of directories in which to perform the build
 #	process.  If the directories are relative paths, then they
@@ -19,6 +19,7 @@ TEST_MAKE_FLAGS?=	${MAKE_FLAGS}
 ######################################################################
 ### build is a public target to build the sources from the package.
 ###
+_TEST_TARGETS+=	check-vulnerable
 _TEST_TARGETS+=	build
 _TEST_TARGETS+=	acquire-test-lock
 _TEST_TARGETS+=	${_TEST_COOKIE}
@@ -120,4 +121,4 @@ post-test:
 .PHONY: test-cookie
 test-cookie:
 	${_PKG_SILENT}${_PKG_DEBUG}${MKDIR} ${_TEST_COOKIE:H}
-	${_PKG_SILENT}${_PKG_DEBUG}${ECHO} ${PKGNAME} >> ${_TEST_COOKIE}
+	${_PKG_SILENT}${_PKG_DEBUG}${ECHO} ${PKGNAME} > ${_TEST_COOKIE}
diff --git a/mk/check/check-vulnerable.mk b/mk/check/check-vulnerable.mk
index 21c73d51108..6bb3e096df5 100644
--- a/mk/check/check-vulnerable.mk
+++ b/mk/check/check-vulnerable.mk
@@ -1,4 +1,4 @@
-# $NetBSD: check-vulnerable.mk,v 1.2 2006/06/05 22:49:44 jlam Exp $
+# $NetBSD: check-vulnerable.mk,v 1.3 2006/07/05 09:08:35 jlam Exp $
 
 ###########################################################################
 ### check-vulnerable (PRIVATE, override)
@@ -9,5 +9,9 @@
 .PHONY: check-vulnerable
 .if !target(check-vulnerable)
 check-vulnerable:
+.  if defined(ALLOW_VULNERABLE_PACKAGES)
+	@${DO_NADA}
+.  else
 	@${PHASE_MSG} "Skipping vulnerability checks."
+.  endif
 .endif
diff --git a/mk/configure/bsd.configure.mk b/mk/configure/bsd.configure.mk
index e90efd600d8..901954186fe 100644
--- a/mk/configure/bsd.configure.mk
+++ b/mk/configure/bsd.configure.mk
@@ -1,4 +1,4 @@
-# $NetBSD: bsd.configure.mk,v 1.1 2006/07/05 06:09:15 jlam Exp $
+# $NetBSD: bsd.configure.mk,v 1.2 2006/07/05 09:08:35 jlam Exp $
 #
 # This Makefile fragment is included by bsd.pkg.mk and provides all
 # variables and targets related to configuring packages for building.
@@ -36,4 +36,4 @@ configure: patch configure-cookie
 .PHONY: configure-cookie
 configure-cookie:
 	${_PKG_SILENT}${_PKG_DEBUG}${MKDIR} ${_CONFIGURE_COOKIE:H}
-	${_PKG_SILENT}${_PKG_DEBUG}${ECHO} ${PKGNAME} >> ${_CONFIGURE_COOKIE}
+	${_PKG_SILENT}${_PKG_DEBUG}${ECHO} ${PKGNAME} > ${_CONFIGURE_COOKIE}
diff --git a/mk/configure/configure.mk b/mk/configure/configure.mk
index fe504e2bba4..fcf990e9e12 100644
--- a/mk/configure/configure.mk
+++ b/mk/configure/configure.mk
@@ -1,4 +1,4 @@
-# $NetBSD: configure.mk,v 1.1 2006/07/05 06:09:15 jlam Exp $
+# $NetBSD: configure.mk,v 1.2 2006/07/05 09:08:35 jlam Exp $
 #
 # CONFIGURE_SCRIPT is the path to the script to run in order to
 #	configure the software for building.  If the path is relative,
@@ -40,6 +40,7 @@ BUILD_DEFS+=		CONFIGURE_ENV CONFIGURE_ARGS
 ######################################################################
 ### configure is a public target to configure the sources for building.
 ###
+_CONFIGURE_TARGETS+=	check-vulnerable
 _CONFIGURE_TARGETS+=	wrapper
 _CONFIGURE_TARGETS+=	acquire-configure-lock
 _CONFIGURE_TARGETS+=	${_CONFIGURE_COOKIE}
@@ -47,20 +48,20 @@ _CONFIGURE_TARGETS+=	release-configure-lock
 
 .PHONY: configure
 .if !target(configure)
+.  if !exists(${_CONFIGURE_COOKIE})
 configure: ${_CONFIGURE_TARGETS}
+.  else
+configure:
+	@${DO_NADA}
+.  endif
 .endif
 
 .PHONY: acquire-configure-lock release-configure-lock
 acquire-configure-lock: acquire-lock
 release-configure-lock: release-lock
 
-.if !exists(${_CONFIGURE_COOKIE})
 ${_CONFIGURE_COOKIE}:
 	${_PKG_SILENT}${_PKG_DEBUG}cd ${.CURDIR} && ${SETENV} ${BUILD_ENV} ${MAKE} ${MAKEFLAGS} real-configure PKG_PHASE=configure || ${PKG_ERROR_HANDLER.configure}
-.else
-${_CONFIGURE_COOKIE}:
-	@${DO_NADA}
-.endif
 
 PKG_ERROR_CLASSES+=	configure
 PKG_ERROR_MSG.configure=						\
diff --git a/mk/depends/depends.mk b/mk/depends/depends.mk
index d963c7ab2ac..69c84940264 100644
--- a/mk/depends/depends.mk
+++ b/mk/depends/depends.mk
@@ -1,4 +1,4 @@
-# $NetBSD: depends.mk,v 1.7 2006/06/09 13:59:08 jlam Exp $
+# $NetBSD: depends.mk,v 1.8 2006/07/05 09:08:35 jlam Exp $
 
 ######################################################################
 ### depends (PUBLIC)
@@ -12,19 +12,19 @@ _DEPENDS_TARGETS+=	release-depends-lock
 
 .PHONY: depends
 .if !target(depends)
+.  if !exists(${_DEPENDS_COOKIE})
 depends: ${_DEPENDS_TARGETS}
+.  else
+depends:
+	@${DO_NADA}
+.  endif
 .endif
 
 .PHONY: acquire-depends-lock release-depends-lock
 acquire-depends-lock: acquire-lock
 release-depends-lock: release-lock
 
-.if !exists(${_DEPENDS_COOKIE})
 ${_DEPENDS_COOKIE}: real-depends
-.else
-${_DEPENDS_COOKIE}:
-	@${DO_NADA}
-.endif
 
 ######################################################################
 ### real-depends (PRIVATE)
diff --git a/mk/extract/extract.mk b/mk/extract/extract.mk
index 41513acc437..257d21e2807 100644
--- a/mk/extract/extract.mk
+++ b/mk/extract/extract.mk
@@ -1,4 +1,4 @@
-# $NetBSD: extract.mk,v 1.7 2006/06/09 13:59:08 jlam Exp $
+# $NetBSD: extract.mk,v 1.8 2006/07/05 09:08:35 jlam Exp $
 #
 # The following variables may be set by the package Makefile and
 # specify how extraction happens:
@@ -42,6 +42,7 @@ _EXTRACT_COOKIE=	${WRKDIR}/.extract_done
 ######################################################################
 ### extract is a public target to perform extraction.
 ###
+_EXTRACT_TARGETS+=	check-vulnerable
 _EXTRACT_TARGETS+=	checksum
 _EXTRACT_TARGETS+=	makedirs
 _EXTRACT_TARGETS+=	depends
@@ -52,19 +53,19 @@ _EXTRACT_TARGETS+=	release-extract-lock
 
 .PHONY: extract
 .if !target(extract)
+.  if !exists(${_EXTRACT_COOKIE})
 extract: ${_EXTRACT_TARGETS}
+.  else
+extract:
+	@${DO_NADA}
+.  endif
 .endif
 
 .PHONY: acquire-extract-lock release-extract-lock
 acquire-extract-lock: acquire-lock
 release-extract-lock: release-lock
 
-.if !exists(${_EXTRACT_COOKIE})
 ${_EXTRACT_COOKIE}: real-extract
-.else
-${_EXTRACT_COOKIE}:
-	@${DO_NADA}
-.endif
 
 ######################################################################
 ### real-extract (PRIVATE)
@@ -114,7 +115,7 @@ extract-check-interactive:
 .PHONY: extract-cookie
 extract-cookie:
 	${_PKG_SILENT}${_PKG_DEBUG}${MKDIR} ${_EXTRACT_COOKIE:H}
-	${_PKG_SILENT}${_PKG_DEBUG}${ECHO} ${PKGNAME} >> ${_EXTRACT_COOKIE}
+	${_PKG_SILENT}${_PKG_DEBUG}${ECHO} ${PKGNAME} > ${_EXTRACT_COOKIE}
 
 ######################################################################
 ### pre-extract, do-extract, post-extract (PUBLIC, override)
diff --git a/mk/fetch/fetch.mk b/mk/fetch/fetch.mk
index 6a80366cce5..1c52f1d8827 100644
--- a/mk/fetch/fetch.mk
+++ b/mk/fetch/fetch.mk
@@ -1,4 +1,4 @@
-# $NetBSD: fetch.mk,v 1.4 2006/06/20 14:54:03 jlam Exp $
+# $NetBSD: fetch.mk,v 1.5 2006/07/05 09:08:35 jlam Exp $
 
 ######################################################################
 ### fetch (PUBLIC)
@@ -8,7 +8,7 @@
 ###
 .PHONY: fetch
 .if !target(fetch)
-fetch: pre-fetch do-fetch post-fetch
+fetch: check-vulnerable pre-fetch do-fetch post-fetch
 .endif
 
 # If this host is behind a filtering firewall, use passive ftp(1)
@@ -262,24 +262,6 @@ batch-check-distfiles:
 .PHONY: do-fetch
 .if !target(do-fetch)
 do-fetch: ${FAILOVER_FETCH:Duptodate-digest}
-.  if !defined(ALLOW_VULNERABLE_PACKAGES)
-	${_PKG_SILENT}${_PKG_DEBUG}					\
-	if [ -f ${PKGVULNDIR}/pkg-vulnerabilities ]; then		\
-		${PHASE_MSG} "Checking for vulnerabilities in ${PKGNAME}"; \
-		vul=`${MAKE} ${MAKEFLAGS} check-vulnerable`;		\
-		case "$$vul" in						\
-		"")	;;						\
-		*)	${ECHO} "$$vul";				\
-			${ECHO} "or define ALLOW_VULNERABLE_PACKAGES if this package is absolutely essential"; \
-			${FALSE} ;;					\
-		esac;							\
-	else								\
-		${PHASE_MSG} "Skipping vulnerability checks.";		\
-		${WARNING_MSG} "No ${PKGVULNDIR}/pkg-vulnerabilities file found."; \
-		${WARNING_MSG} "To fix, install the pkgsrc/security/audit-packages"; \
-		${WARNING_MSG} "package and run: \`\`${LOCALBASE}/sbin/download-vulnerability-list''."; \
-	fi
-.  endif
 .  if !empty(_ALLFILES)
 	${_PKG_SILENT}${_PKG_DEBUG}					\
 	${TEST} -d ${_DISTDIR} || ${MKDIR} ${_DISTDIR}
diff --git a/mk/flavor/pkg/check.mk b/mk/flavor/pkg/check.mk
index 537599df581..8b4eddede20 100644
--- a/mk/flavor/pkg/check.mk
+++ b/mk/flavor/pkg/check.mk
@@ -1,4 +1,4 @@
-# $NetBSD: check.mk,v 1.1 2006/06/03 23:11:42 jlam Exp $
+# $NetBSD: check.mk,v 1.2 2006/07/05 09:08:35 jlam Exp $
 
 ######################################################################
 ### check-vulnerable (PUBLIC, pkgsrc/mk/check/check.mk)
@@ -12,16 +12,43 @@
 ###
 .PHONY: check-vulnerable
 check-vulnerable:
-	@if [ ! -z "${PKG_SYSCONFDIR.audit-packages}" -a -f ${PKG_SYSCONFDIR.audit-packages}/audit-packages.conf ]; then \
-		. ${PKG_SYSCONFDIR.audit-packages}/audit-packages.conf;	\
-	elif [ ! -z "${PKG_SYSCONFDIR}" -a -f ${PKG_SYSCONFDIR}/audit-packages.conf ]; then \
-		. ${PKG_SYSCONFDIR}/audit-packages.conf;		\
+.if defined(ALLOW_VULNERABLE_PACKAGES)
+	@${DO_NADA}
+.else
+	${_PKG_SILENT}${_PKG_DEBUG}					\
+	vulnfile=${PKGVULNDIR:Q}/pkg-vulnerabilities;			\
+	if ${TEST} ! -f "$$vulnfile"; then				\
+		${PHASE_MSG} "Skipping vulnerability checks.";		\
+		${WARNING_MSG} "No $$vulnfile file found.";		\
+		${WARNING_MSG} "To fix, install the pkgsrc/security/audit-packages"; \
+		${WARNING_MSG} "package and run: \`\`${LOCALBASE}/sbin/download-vulnerability-list''."; \
+		exit 0;							\
 	fi;								\
-	if [ -f ${PKGVULNDIR}/pkg-vulnerabilities ]; then		\
-		${SETENV} PKGNAME=${PKGNAME}				\
-			  PKGBASE=${PKGBASE}				\
-		${AWK} '/^$$/ { next }				\
-			/^#.*/ { next }				\
-			$$1 !~ ENVIRON["PKGBASE"] && $$1 !~ /\{/ { next } \
-			{ s = sprintf("${PKG_ADMIN} pmatch \"%s\" %s && ${ECHO} \"*** WARNING - %s vulnerability in %s - see %s for more information ***\"", $$1, ENVIRON["PKGNAME"], $$2, ENVIRON["PKGNAME"], $$3); system(s); }' < ${PKGVULNDIR}/pkg-vulnerabilities || ${FALSE}; \
+	${PHASE_MSG} "Checking for vulnerabilities in ${PKGNAME}";	\
+	conffile=;							\
+	for dir in							\
+		__dummy							\
+		${PKG_SYSCONFDIR.audit-packages:Q}""			\
+		${PKG_SYSCONFDIR:Q}"";					\
+	do								\
+		case $$dir in						\
+		/*)	conffile="$$dir/audit-packages.conf"; break ;;	\
+		*)	continue ;;					\
+		esac;							\
+	done;								\
+	if ${TEST} -z "$$conffile" -a -f "$$conffile"; then		\
+		. $$conffile;						\
+	fi;								\
+	${SETENV} PKGNAME=${PKGNAME}					\
+		  PKGBASE=${PKGBASE}					\
+	${AWK} 'BEGIN { exitcode = 0 }					\
+		/^$$/ { next }						\
+		/^#.*/ { next }						\
+		$$1 !~ ENVIRON["PKGBASE"] && $$1 !~ /\{/ { next }	\
+		{ s = sprintf("${PKG_ADMIN} pmatch \"%s\" %s && ${ERROR_MSG:S/"/\"/g} \"%s vulnerability in %s - see %s for more information\"", $$1, ENVIRON["PKGNAME"], $$2, ENVIRON["PKGNAME"], $$3); if (system(s) == 0) { print $$1; exitcode += 1 }; } \
+		END { exit exitcode }' < $$vulnfile || ${FALSE};	\
+	if ${TEST} "$$?" -ne 0; then					\
+		${ERROR_MSG} "Define ALLOW_VULNERABLE_PACKAGES if this package is absolutely essential"; \
+		${FALSE};						\
 	fi
+.endif
diff --git a/mk/install/bsd.install.mk b/mk/install/bsd.install.mk
index cf665e82bf2..09a68bedb96 100644
--- a/mk/install/bsd.install.mk
+++ b/mk/install/bsd.install.mk
@@ -1,4 +1,4 @@
-# $NetBSD: bsd.install.mk,v 1.3 2006/06/06 00:25:26 jlam Exp $
+# $NetBSD: bsd.install.mk,v 1.4 2006/07/05 09:08:35 jlam Exp $
 #
 # This Makefile fragment is included by bsd.pkg.mk and provides all
 # variables and targets related to installing packages.
@@ -38,4 +38,4 @@ install: ${_PKGSRC_BUILD_TARGETS} install-cookie
 ###
 .PHONY: install-cookie
 install-cookie:
-	${_PKG_SILENT}${_PKG_DEBUG}${ECHO} ${PKGNAME} >> ${_INSTALL_COOKIE}
+	${_PKG_SILENT}${_PKG_DEBUG}${ECHO} ${PKGNAME} > ${_INSTALL_COOKIE}
diff --git a/mk/install/install.mk b/mk/install/install.mk
index cee95885263..43f2350a034 100644
--- a/mk/install/install.mk
+++ b/mk/install/install.mk
@@ -1,4 +1,4 @@
-# $NetBSD: install.mk,v 1.8 2006/06/14 07:51:47 jlam Exp $
+# $NetBSD: install.mk,v 1.9 2006/07/05 09:08:35 jlam Exp $
 
 ######################################################################
 ### install (PUBLIC)
@@ -6,6 +6,7 @@
 ### install is a public target to install the package.  It will
 ### acquire elevated privileges just-in-time.
 ###
+_INSTALL_TARGETS+=	check-vulnerable
 _INSTALL_TARGETS+=	${_PKGSRC_BUILD_TARGETS}
 _INSTALL_TARGETS+=	acquire-install-lock
 _INSTALL_TARGETS+=	${_INSTALL_COOKIE}
@@ -13,20 +14,20 @@ _INSTALL_TARGETS+=	release-install-lock
 
 .PHONY: install
 .if !target(install)
+.  if !exists(${_INSTALL_COOKIE})
 install: ${_INSTALL_TARGETS}
+.  else
+install:
+	@${DO_NADA}
+.  endif
 .endif
 
 .PHONY: acquire-install-lock release-install-lock
 acquire-install-lock: acquire-lock
 release-install-lock: release-lock
 
-.if !exists(${_INSTALL_COOKIE})
 ${_INSTALL_COOKIE}: install-check-interactive
 	${_PKG_SILENT}${_PKG_DEBUG}cd ${.CURDIR} && ${SETENV} ${BUILD_ENV} ${MAKE} ${MAKEFLAGS} real-install PKG_PHASE=install
-.else
-${_INSTALL_COOKIE}:
-	@${DO_NADA}
-.endif
 
 ######################################################################
 ### real-install (PRIVATE)
diff --git a/mk/package/package.mk b/mk/package/package.mk
index eb9fbc2df4b..9092236e188 100644
--- a/mk/package/package.mk
+++ b/mk/package/package.mk
@@ -1,4 +1,4 @@
-# $NetBSD: package.mk,v 1.9 2006/06/18 07:46:03 rillig Exp $
+# $NetBSD: package.mk,v 1.10 2006/07/05 09:08:35 jlam Exp $
 
 ######################################################################
 ### package (PUBLIC)
@@ -6,6 +6,7 @@
 ### package is a public target to generate a binary package.  It will
 ### acquire elevated privileges just-in-time.
 ###
+_PACKAGE_TARGETS+=	check-vulnerable
 _PACKAGE_TARGETS+=	install
 _PACKAGE_TARGETS+=	acquire-package-lock
 _PACKAGE_TARGETS+=	${_PACKAGE_COOKIE}
@@ -13,20 +14,20 @@ _PACKAGE_TARGETS+=	release-package-lock
 
 .PHONY: package
 .if !target(package)
+.  if !exists(${_PACKAGE_COOKIE})
 package: ${_PACKAGE_TARGETS}
+.  else
+package:
+	@${DO_NADA}
+.  endif
 .endif
 
 .PHONY: acquire-package-lock release-package-lock
 acquire-package-lock: acquire-lock
 release-package-lock: release-lock
 
-.if !exists(${_PACKAGE_COOKIE})
 ${_PACKAGE_COOKIE}:
 	${_PKG_SILENT}${_PKG_DEBUG}cd ${.CURDIR} && ${SETENV} ${BUILD_ENV} ${MAKE} ${MAKEFLAGS} real-package PKG_PHASE=package
-.else
-${_PACKAGE_COOKIE}:
-	@${DO_NADA}
-.endif
 
 ######################################################################
 ### real-package (PRIVATE)
@@ -54,7 +55,8 @@ package-message:
 ###
 .PHONY: package-cookie
 package-cookie:
-	${_PKG_SILENT}${_PKG_DEBUG}${ECHO} ${PKGNAME} >> ${_PACKAGE_COOKIE}
+	${_PKG_SILENT}${_PKG_DEBUG}${MKDIR} ${_PACKAGE_COOKIE:H}
+	${_PKG_SILENT}${_PKG_DEBUG}${ECHO} ${PKGNAME} > ${_PACKAGE_COOKIE}
 
 ######################################################################
 ### The targets below are run with elevated privileges.
diff --git a/mk/patch/patch.mk b/mk/patch/patch.mk
index cea306ce9fc..c47dbfc4306 100644
--- a/mk/patch/patch.mk
+++ b/mk/patch/patch.mk
@@ -1,4 +1,4 @@
-# $NetBSD: patch.mk,v 1.4 2006/06/09 13:59:08 jlam Exp $
+# $NetBSD: patch.mk,v 1.5 2006/07/05 09:08:35 jlam Exp $
 #
 # The following variables may be set in a package Makefile and control
 # how pkgsrc patches are applied.
@@ -52,24 +52,27 @@ _PATCH_COOKIE=		${WRKDIR}/.patch_done
 ### patch is a public target to apply the distribution and pkgsrc
 ### patches to the extracted sources for the package.
 ###
+_PATCH_TARGETS+=	check-vulnerable
 _PATCH_TARGETS+=	extract
 _PATCH_TARGETS+=	acquire-patch-lock
 _PATCH_TARGETS+=	${_PATCH_COOKIE}
 _PATCH_TARGETS+=	release-patch-lock
 
 .PHONY: patch
+.if !target(patch)
+.  if !exists(${_PATCH_COOKIE})
 patch: ${_PATCH_TARGETS}
+.  else
+patch:
+	@${DO_NADA}
+.  endif
+.endif
 
 .PHONY: acquire-patch-lock release-patch-lock
 acquire-patch-lock: acquire-lock
 release-patch-lock: release-lock
 
-.if !exists(${_PATCH_COOKIE})
 ${_PATCH_COOKIE}: real-patch
-.else
-${_PATCH_COOKIE}:
-	@${DO_NADA}
-.endif
 
 ######################################################################
 ### real-patch (PRIVATE)
diff --git a/mk/tools/bsd.tools.mk b/mk/tools/bsd.tools.mk
index 1409be171e7..594d4194b9a 100644
--- a/mk/tools/bsd.tools.mk
+++ b/mk/tools/bsd.tools.mk
@@ -1,4 +1,4 @@
-# $NetBSD: bsd.tools.mk,v 1.38 2006/07/05 04:32:10 jlam Exp $
+# $NetBSD: bsd.tools.mk,v 1.39 2006/07/05 09:08:35 jlam Exp $
 #
 # Copyright (c) 2005, 2006 The NetBSD Foundation, Inc.
 # All rights reserved.
@@ -68,19 +68,19 @@ _TOOLS_TARGETS+=	release-tools-lock
 
 .PHONY: tools
 .if !target(tools)
+.  if !exists(${_TOOLS_COOKIE})
 tools: ${_TOOLS_TARGETS}
+.  else
+tools:
+	@${DO_NADA}
+.  endif
 .endif 
 
 .PHONY: acquire-tools-lock release-tools-lock
 acquire-tools-lock: acquire-lock
 release-tools-lock: release-lock
 
-.if !exists(${_TOOLS_COOKIE})
 ${_TOOLS_COOKIE}: real-tools
-.else
-${_TOOLS_COOKIE}:
-	@${DO_NADA}
-.endif
 
 ######################################################################
 ### real-tools (PRIVATE)
@@ -111,7 +111,7 @@ tools-message:
 .PHONY: tools-cookie
 tools-cookie:
 	${_PKG_SILENT}${_PKG_DEBUG}${MKDIR} ${_TOOLS_COOKIE:H}
-	${_PKG_SILENT}${_PKG_DEBUG}${ECHO} ${USE_TOOLS:Q} >> ${_TOOLS_COOKIE}
+	${_PKG_SILENT}${_PKG_DEBUG}${ECHO} ${USE_TOOLS:Q} > ${_TOOLS_COOKIE}
 
 ######################################################################
 ### override-tools (PRIVATE)
diff --git a/mk/wrapper/bsd.wrapper.mk b/mk/wrapper/bsd.wrapper.mk
index cf76bc799ef..d8e3f2eb1aa 100644
--- a/mk/wrapper/bsd.wrapper.mk
+++ b/mk/wrapper/bsd.wrapper.mk
@@ -1,4 +1,4 @@
-# $NetBSD: bsd.wrapper.mk,v 1.43 2006/07/05 06:09:15 jlam Exp $
+# $NetBSD: bsd.wrapper.mk,v 1.44 2006/07/05 09:08:35 jlam Exp $
 #
 # Copyright (c) 2005 The NetBSD Foundation, Inc.
 # All rights reserved.
@@ -779,8 +779,11 @@ _WRAPPER_COOKIE=	${WRKDIR}/.wrapper_done
 .if !target(wrapper)
 .  if defined(NO_BUILD)
 wrapper: patch wrapper-cookie
+.  elif !exists(${_WRAPPER_COOKIE})
+wrapper: check-vulnerable patch acquire-wrapper-lock ${_WRAPPER_COOKIE} release-wrapper-lock
 .  else
-wrapper: patch acquire-wrapper-lock ${_WRAPPER_COOKIE} release-wrapper-lock
+wrapper:
+	@${DO_NADA}
 .  endif
 .endif
 
@@ -788,13 +791,8 @@ wrapper: patch acquire-wrapper-lock ${_WRAPPER_COOKIE} release-wrapper-lock
 acquire-wrapper-lock: acquire-lock
 release-wrapper-lock: release-lock
 
-.if !exists(${_WRAPPER_COOKIE})
 ${_WRAPPER_COOKIE}:
 	${_PKG_SILENT}${_PKG_DEBUG}cd ${.CURDIR} && ${SETENV} ${BUILD_ENV} ${MAKE} ${MAKEFLAGS} real-wrapper PKG_PHASE=wrapper
-.else
-${_WRAPPER_COOKIE}:
-	@${DO_NADA}
-.endif
 
 .PHONY: real-wrapper
 real-wrapper: wrapper-message wrapper-vars pre-wrapper do-wrapper post-wrapper wrapper-cookie error-check
@@ -823,4 +821,4 @@ post-wrapper:
 .PHONY: wrapper-cookie
 wrapper-cookie:
 	${_PKG_SILENT}${_PKG_DEBUG}${MKDIR} ${_WRAPPER_COOKIE:H}
-	${_PKG_SILENT}${_PKG_DEBUG}${ECHO} ${PKGNAME} >> ${_WRAPPER_COOKIE}
+	${_PKG_SILENT}${_PKG_DEBUG}${ECHO} ${PKGNAME} > ${_WRAPPER_COOKIE}