diff options
| author | agc <agc@pkgsrc.org> | 2001-04-24 09:32:13 +0000 |
|---|---|---|
| committer | agc <agc@pkgsrc.org> | 2001-04-24 09:32:13 +0000 |
| commit | 15e9ce8614e7f7c1adb2581217576e5f496dcce5 (patch) | |
| tree | b71bafa0f1459bdc8d67b0d83f5f164b494e752d /security/audit-packages | |
| parent | efe100f83c8f60b286592129246736ec1a2f84b3 (diff) | |
| download | pkgsrc-15e9ce8614e7f7c1adb2581217576e5f496dcce5.tar.gz | |
Update to version 1.7 of audit-packages.
Incorporates the following changes from Anne Bennett
(anne@alcor.concordia.ca) in PR 12538:
(1) Running download-vulnerability-list as it stands from cron will
spam the sysadmin with ftp output. Easy to fix: redirect output
to /dev/null as per the example in pkg/MESSAGE. Problem: now
we lose some error messages as well. Patch: make sure error
complaints in that script are spouted to STDERR, not STDOUT.
(3) Minor readability issue: set the source location for the
vulnerability list in a variable at the top of the script.
(4) PR 12457 reported that audit-packages complained spuriously
when the vulnerability list had not been updated in over a
week, and suggested touching it as a solution. This loses
the information of when the file was really last updated.
I'd prefer to always "mv" the new file into place, and use
mtime instead of ctime in the file freshness test.
I did this part of the PR differently, as I was worried about
incomplete vulnerability lists being downloaded, and overwriting an
existing vulnerability list:
(2) ftp failure in download-vulnerability-list is not being detected
properly by the current "${FETCH_CMD} .. || (complain; exit 1)"
test. Patch: test for a non-zero vulnerability file instead.
Don't forget to remove any zero-length droppings, if any.
We know that the vulnerability list size will increase, and not
decrease, so test the size of the newly-downloaded file. If the new
file is smaller than the existing file, then a bad transfer has taken
place - log this fact, and remove the new list.
Diffstat (limited to 'security/audit-packages')
| -rw-r--r-- | security/audit-packages/Makefile | 4 | ||||
| -rwxr-xr-x | security/audit-packages/files/audit-packages | 2 | ||||
| -rw-r--r-- | security/audit-packages/files/download-vulnerability-list | 20 |
3 files changed, 14 insertions, 12 deletions
diff --git a/security/audit-packages/Makefile b/security/audit-packages/Makefile index 4f0325427ca..238d6cdc100 100644 --- a/security/audit-packages/Makefile +++ b/security/audit-packages/Makefile @@ -1,6 +1,6 @@ -# $NetBSD: Makefile,v 1.8 2001/04/02 10:35:25 agc Exp $ +# $NetBSD: Makefile,v 1.9 2001/04/24 09:32:13 agc Exp $ -DISTNAME= audit-packages-1.6 +DISTNAME= audit-packages-1.7 CATEGORIES= security pkgtools MASTER_SITES= # empty DISTFILES= # empty diff --git a/security/audit-packages/files/audit-packages b/security/audit-packages/files/audit-packages index aec5a34a820..a9b29468801 100755 --- a/security/audit-packages/files/audit-packages +++ b/security/audit-packages/files/audit-packages @@ -6,7 +6,7 @@ if [ ! -f ${DISTDIR}/vulnerabilities ] ;then exit 1 fi -if [ -n "$(find ${DISTDIR}/vulnerabilities -mtime +7)" ] +if [ -n "$(find ${DISTDIR}/vulnerabilities -ctime +7)" ] then echo "** ${DISTDIR}/vulnerabilities more than a week old" 1>&2 echo "** run download-vulnerability-list" 1>&2 diff --git a/security/audit-packages/files/download-vulnerability-list b/security/audit-packages/files/download-vulnerability-list index e7271ef7baa..c9afb3c9a96 100644 --- a/security/audit-packages/files/download-vulnerability-list +++ b/security/audit-packages/files/download-vulnerability-list @@ -1,21 +1,23 @@ #! /bin/sh -NEW_VUL_LIST=${DISTDIR}/vulnerabilities.$$ - if [ ! -e ${DISTDIR} ]; then echo "Creating ${DISTDIR}" - /bin/mkdir -p ${DISTDIR} || (echo "Can't create ${DISTDIR}"; exit 1) + /bin/mkdir -p ${DISTDIR} || (echo "Can't create ${DISTDIR}" 1>&2; exit 1) fi -${FETCH_CMD} -o ${NEW_VUL_LIST} ftp://ftp.netbsd.org/pub/NetBSD/packages/distfiles/vulnerabilities || \ - (echo "Can't download vulnerability list"; exit 1) +VUL_SOURCE="ftp://ftp.netbsd.org/pub/NetBSD/packages/distfiles/vulnerabilities" +NEW_VUL_LIST=${DISTDIR}/vulnerabilities.$$ +EXIST_VUL_LIST=${DISTDIR}/vulnerabilities -if /usr/bin/cmp -s ${NEW_VUL_LIST} ${DISTDIR}/vulnerabilities > /dev/null 2>&1; then +${FETCH_CMD} -o ${NEW_VUL_LIST} ${VUL_SOURCE} +existsize=`/bin/ls -l ${EXIST_VUL_LIST} | ${AWK} '{ print $5 }'` +newsize=`/bin/ls -l ${NEW_VUL_LIST} | ${AWK} '{ print $5 }'` +if [ $newsize -lt $existsize ]; then + echo "New vulnerability list ($$newsize bytes) is smaller than existing list ($$existsize bytes)" 1>&2 /bin/rm -f ${NEW_VUL_LIST} -else - /bin/mv ${NEW_VUL_LIST} ${DISTDIR}/vulnerabilities + exit 1 fi -${TOUCH} ${DISTDIR}/vulnerabilities +/bin/mv -f ${NEW_VUL_LIST} ${EXIST_VUL_LIST} exit 0 |