pkg_install-20090205:

- Restrict audit related commands to the documented set and/or fix the
  documention.
- Add support for conditional fetch-pkg-vulnerabilities via -u option.

4 files changed, 67 insertions, 19 deletions

diff --git a/pkgtools/pkg_install/files/admin/audit.c b/pkgtools/pkg_install/files/admin/audit.c
index 056f6ada365..f8f8f363026 100644
--- a/pkgtools/pkg_install/files/admin/audit.c
+++ b/pkgtools/pkg_install/files/admin/audit.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: audit.c,v 1.11 2009/02/02 12:35:00 joerg Exp $	*/
+/*	$NetBSD: audit.c,v 1.12 2009/02/05 17:22:19 joerg Exp $	*/
 
 #if HAVE_CONFIG_H
 #include "config.h"
@@ -7,7 +7,7 @@
 #if HAVE_SYS_CDEFS_H
 #include <sys/cdefs.h>
 #endif
-__RCSID("$NetBSD: audit.c,v 1.11 2009/02/02 12:35:00 joerg Exp $");
+__RCSID("$NetBSD: audit.c,v 1.12 2009/02/05 17:22:19 joerg Exp $");
 
 /*-
  * Copyright (c) 2008 Joerg Sonnenberger <joerg@NetBSD.org>.
@@ -76,11 +76,14 @@ __RCSID("$NetBSD: audit.c,v 1.11 2009/02/02 12:35:00 joerg Exp $");
 static int check_eol = 0;
 static int check_signature = 0;
 static const char *limit_vul_types = NULL;
+static int update_pkg_vuln = 0;
 
 static struct pkg_vulnerabilities *pv;
 
+static const char audit_options[] = "est:";
+
 static void
-parse_options(int argc, char **argv)
+parse_options(int argc, char **argv, const char *options)
 {
 	int ch;
 
@@ -94,7 +97,7 @@ parse_options(int argc, char **argv)
 	++argc;
 	--argv;
 
-	while ((ch = getopt(argc, argv, "est:")) != -1) {
+	while ((ch = getopt(argc, argv, options)) != -1) {
 		switch (ch) {
 		case 'e':
 			check_eol = 1;
@@ -105,6 +108,9 @@ parse_options(int argc, char **argv)
 		case 't':
 			limit_vul_types = optarg;
 			break;
+		case 'u':
+			update_pkg_vuln = 1;
+			break;
 		default:
 			usage();
 			/* NOTREACHED */
@@ -211,7 +217,7 @@ audit_pkgdb(int argc, char **argv)
 {
 	int rv;
 
-	parse_options(argc, argv);
+	parse_options(argc, argv, audit_options);
 	argv += optind;
 
 	check_and_read_pkg_vulnerabilities();
@@ -235,7 +241,7 @@ audit_pkg(int argc, char **argv)
 {
 	int rv;
 
-	parse_options(argc, argv);
+	parse_options(argc, argv, audit_options);
 	argv += optind;
 
 	check_and_read_pkg_vulnerabilities();
@@ -255,7 +261,7 @@ audit_batch(int argc, char **argv)
 {
 	int rv;
 
-	parse_options(argc, argv);
+	parse_options(argc, argv, audit_options);
 	argv += optind;
 
 	check_and_read_pkg_vulnerabilities();
@@ -272,7 +278,7 @@ audit_batch(int argc, char **argv)
 void
 check_pkg_vulnerabilities(int argc, char **argv)
 {
-	parse_options(argc, argv);
+	parse_options(argc, argv, "s");
 	if (argc != optind + 1)
 		usage();
 
@@ -287,18 +293,50 @@ fetch_pkg_vulnerabilities(int argc, char **argv)
 	char *buf, *decompressed_input;
 	size_t buf_len, buf_fetched, decompressed_len;
 	ssize_t cur_fetched;
+	struct url *url;
 	struct url_stat st;
 	fetchIO *f;
 	int fd;
+	struct stat sb;
+	char my_flags[20];
+	const char *flags;
 
-	parse_options(argc, argv);
+	parse_options(argc, argv, "su");
 	if (argc != optind)
 		usage();
 
 	if (verbose >= 2)
 		fprintf(stderr, "Fetching %s\n", pkg_vulnerabilities_url);
 
-	f = fetchXGetURL(pkg_vulnerabilities_url, &st, fetch_flags);
+	url = fetchParseURL(pkg_vulnerabilities_url);
+	if (url == NULL)
+		errx(EXIT_FAILURE,
+		    "Could not parse location of pkg_vulnerabilities: %s",
+		    fetchLastErrString);
+
+	flags = fetch_flags;
+	if (update_pkg_vuln) {
+		fd = open(pkg_vulnerabilities_file, O_RDONLY);
+		if (fd != -1 && fstat(fd, &sb) != -1) {
+			url->last_modified = sb.st_mtime;
+			snprintf(my_flags, sizeof(my_flags), "%si",
+			    fetch_flags);
+			flags = my_flags;
+		} else
+			update_pkg_vuln = 0;
+		if (fd != -1)
+			close(fd);
+	}
+
+	f = fetchXGet(url, &st, flags);
+	if (f == NULL && update_pkg_vuln &&
+	    fetchLastErrCode == FETCH_UNCHANGED) {
+		if (verbose >= 1)
+			fprintf(stderr, "%s is not newer\n",
+			    pkg_vulnerabilities_url);
+		exit(EXIT_SUCCESS);
+	}
+
 	if (f == NULL)
 		errx(EXIT_FAILURE, "Could not fetch vulnerability file: %s",
 		    fetchLastErrString);
@@ -460,7 +498,7 @@ check_pkg_history(const char *pkg)
 void
 audit_history(int argc, char **argv)
 {
-	parse_options(argc, argv);
+	parse_options(argc, argv, "st:");
 	argv += optind;
 
 	check_and_read_pkg_vulnerabilities();
diff --git a/pkgtools/pkg_install/files/admin/pkg_admin.1 b/pkgtools/pkg_install/files/admin/pkg_admin.1
index 061972c31b9..e67b977691d 100644
--- a/pkgtools/pkg_install/files/admin/pkg_admin.1
+++ b/pkgtools/pkg_install/files/admin/pkg_admin.1
@@ -1,4 +1,4 @@
-.\"	$NetBSD: pkg_admin.1,v 1.19 2009/02/02 12:35:00 joerg Exp $
+.\"	$NetBSD: pkg_admin.1,v 1.20 2009/02/05 17:22:19 joerg Exp $
 .\"
 .\" Copyright (c) 1999-2008 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@@ -137,7 +137,7 @@ but check only the given package names or patterns.
 Like
 .Cm audit-pkg ,
 but read the package names or patterns one per line from the given files.
-.It Cm audit-history Oo Fl t Ar type Oc Oo Ar pkgbase Oc ...
+.It Cm audit-history Oo Fl s Oc Oo Fl t Ar type Oc Oo Ar pkgbase Oc ...
 Print all vulnerabilities for the given base package names.
 .It Cm check Op Ar pkg ...
 Use this command to check the files belonging to some or all of the
@@ -184,7 +184,7 @@ Dump the contents of the package database, similar to
 .Cm pkg_info -F .
 Columns are printed for the keyfield used in the pkgdb - the filename -,
 and the data field - the package the file belongs to.
-.It Cm fetch-pkg-vulnerabilities Op Fl s
+.It Cm fetch-pkg-vulnerabilities Oo Fl su Oc
 Fetch a new pkg-vulnerabilities file, check the format and if
 .Fl s
 is given the signature.
diff --git a/pkgtools/pkg_install/files/admin/pkg_admin.cat1 b/pkgtools/pkg_install/files/admin/pkg_admin.cat1
index f66f88d01aa..9ce789b6389 100644
--- a/pkgtools/pkg_install/files/admin/pkg_admin.cat1
+++ b/pkgtools/pkg_install/files/admin/pkg_admin.cat1
@@ -69,7 +69,7 @@ OOPPTTIIOONNSS
              Like aauuddiitt--ppkkgg, but read the package names or patterns one per
              line from the given files.
 
-     aauuddiitt--hhiissttoorryy [--tt _t_y_p_e] [_p_k_g_b_a_s_e] ...
+     aauuddiitt--hhiissttoorryy [--ss] [--tt _t_y_p_e] [_p_k_g_b_a_s_e] ...
              Print all vulnerabilities for the given base package names.
 
      cchheecckk [_p_k_g _._._.]
@@ -93,6 +93,9 @@ OOPPTTIIOONNSS
              Check format and hashes in the pkg-vulnerabilties file _f_i_l_e.  If
              --ss is given, also check the embedded signature.
 
+     cchheecckk--ssiiggnnaattuurree _f_i_l_e _._._.
+             Reports if _f_i_l_e is a correctly signed package.
+
      ccoonnffiigg--vvaarr _v_a_r_i_a_b_l_e
              Print the current value of _v_a_r_i_a_b_l_e as used after parsing the
              configuration file.
@@ -106,7 +109,7 @@ OOPPTTIIOONNSS
              --FF.  Columns are printed for the keyfield used in the pkgdb - the
              filename -, and the data field - the package the file belongs to.
 
-     ffeettcchh--ppkkgg--vvuullnneerraabbiilliittiieess [--ss]
+     ffeettcchh--ppkkgg--vvuullnneerraabbiilliittiieess [--ssuu]
              Fetch a new pkg-vulnerabilities file, check the format and if --ss
              is given the signature.  If all checks are passed, write it to
              pkgdb.
@@ -172,6 +175,13 @@ OOPPTTIIOONNSS
              Packages that are not installed directly by the user but pulled
              in as dependencies are marked by setting ``automatic=YES''.
 
+     ggppgg--ssiiggnn--ppaacckkaaggee ppkkgg
+             Sign the binary package _p_k_g using GPG.
+
+     xx550099--ssiiggnn--ppaacckkaaggee ppkkgg ssppkkgg kkeeyy cceerrtt
+             Sign the binary package _p_k_g using the key _k_e_y and the certificate
+             _c_e_r_t, using _s_p_k_g as output file.
+
      uunnsseett _v_a_r_i_a_b_l_e _p_k_g _._._.
              Remove an installation variable.
 
@@ -213,4 +223,4 @@ HHIISSTTOORRYY
 AAUUTTHHOORRSS
      The ppkkgg__aaddmmiinn command was written by Hubert Feyrer.
 
-NetBSD 4.0                       May 26, 2008                       NetBSD 4.0
+NetBSD 5.0                       May 30, 2008                       NetBSD 5.0
diff --git a/pkgtools/pkg_install/files/lib/version.h b/pkgtools/pkg_install/files/lib/version.h
index 4ce786660d8..c74c3afd75d 100644
--- a/pkgtools/pkg_install/files/lib/version.h
+++ b/pkgtools/pkg_install/files/lib/version.h
@@ -1,4 +1,4 @@
-/*	$NetBSD: version.h,v 1.108 2009/02/02 12:35:01 joerg Exp $	*/
+/*	$NetBSD: version.h,v 1.109 2009/02/05 17:22:19 joerg Exp $	*/
 
 /*
  * Copyright (c) 2001 Thomas Klausner.  All rights reserved.
@@ -27,6 +27,6 @@
 #ifndef _INST_LIB_VERSION_H_
 #define _INST_LIB_VERSION_H_
 
-#define PKGTOOLS_VERSION "20090201"
+#define PKGTOOLS_VERSION "20090205"
 
 #endif /* _INST_LIB_VERSION_H_ */