From 6155b7d53ace0c43ed30ad4c84dc968f54f07928 Mon Sep 17 00:00:00 2001 From: jlam Date: Wed, 5 Jul 2006 09:08:35 +0000 Subject: Make the check-vulnerable target more self-sufficient, by moving some of the logic from fetch/fetch.mk into flavor/pkg/check.mk, so that check-vulnerable can be used as a source target. Make check-vulnerable a source target for every phase of the build workflow, which ensures that it is always run if the user starts a new phase from the command line. Fix the cookie-generation targets so that they don't append, only overwrite to the cookie file. This works around potential problems due to recursive makes. Move the cookie checks so that they surround the corresponding phase target. The presence of the cookie should now inform the make process to avoid doing any processing of phases that occur before the phase corresponding to the cookie. --- mk/flavor/pkg/check.mk | 51 ++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 39 insertions(+), 12 deletions(-) (limited to 'mk/flavor/pkg') diff --git a/mk/flavor/pkg/check.mk b/mk/flavor/pkg/check.mk index 537599df581..8b4eddede20 100644 --- a/mk/flavor/pkg/check.mk +++ b/mk/flavor/pkg/check.mk @@ -1,4 +1,4 @@ -# $NetBSD: check.mk,v 1.1 2006/06/03 23:11:42 jlam Exp $ +# $NetBSD: check.mk,v 1.2 2006/07/05 09:08:35 jlam Exp $ ###################################################################### ### check-vulnerable (PUBLIC, pkgsrc/mk/check/check.mk) @@ -12,16 +12,43 @@ ### .PHONY: check-vulnerable check-vulnerable: - @if [ ! -z "${PKG_SYSCONFDIR.audit-packages}" -a -f ${PKG_SYSCONFDIR.audit-packages}/audit-packages.conf ]; then \ - . ${PKG_SYSCONFDIR.audit-packages}/audit-packages.conf; \ - elif [ ! -z "${PKG_SYSCONFDIR}" -a -f ${PKG_SYSCONFDIR}/audit-packages.conf ]; then \ - . ${PKG_SYSCONFDIR}/audit-packages.conf; \ +.if defined(ALLOW_VULNERABLE_PACKAGES) + @${DO_NADA} +.else + ${_PKG_SILENT}${_PKG_DEBUG} \ + vulnfile=${PKGVULNDIR:Q}/pkg-vulnerabilities; \ + if ${TEST} ! -f "$$vulnfile"; then \ + ${PHASE_MSG} "Skipping vulnerability checks."; \ + ${WARNING_MSG} "No $$vulnfile file found."; \ + ${WARNING_MSG} "To fix, install the pkgsrc/security/audit-packages"; \ + ${WARNING_MSG} "package and run: \`\`${LOCALBASE}/sbin/download-vulnerability-list''."; \ + exit 0; \ fi; \ - if [ -f ${PKGVULNDIR}/pkg-vulnerabilities ]; then \ - ${SETENV} PKGNAME=${PKGNAME} \ - PKGBASE=${PKGBASE} \ - ${AWK} '/^$$/ { next } \ - /^#.*/ { next } \ - $$1 !~ ENVIRON["PKGBASE"] && $$1 !~ /\{/ { next } \ - { s = sprintf("${PKG_ADMIN} pmatch \"%s\" %s && ${ECHO} \"*** WARNING - %s vulnerability in %s - see %s for more information ***\"", $$1, ENVIRON["PKGNAME"], $$2, ENVIRON["PKGNAME"], $$3); system(s); }' < ${PKGVULNDIR}/pkg-vulnerabilities || ${FALSE}; \ + ${PHASE_MSG} "Checking for vulnerabilities in ${PKGNAME}"; \ + conffile=; \ + for dir in \ + __dummy \ + ${PKG_SYSCONFDIR.audit-packages:Q}"" \ + ${PKG_SYSCONFDIR:Q}""; \ + do \ + case $$dir in \ + /*) conffile="$$dir/audit-packages.conf"; break ;; \ + *) continue ;; \ + esac; \ + done; \ + if ${TEST} -z "$$conffile" -a -f "$$conffile"; then \ + . $$conffile; \ + fi; \ + ${SETENV} PKGNAME=${PKGNAME} \ + PKGBASE=${PKGBASE} \ + ${AWK} 'BEGIN { exitcode = 0 } \ + /^$$/ { next } \ + /^#.*/ { next } \ + $$1 !~ ENVIRON["PKGBASE"] && $$1 !~ /\{/ { next } \ + { s = sprintf("${PKG_ADMIN} pmatch \"%s\" %s && ${ERROR_MSG:S/"/\"/g} \"%s vulnerability in %s - see %s for more information\"", $$1, ENVIRON["PKGNAME"], $$2, ENVIRON["PKGNAME"], $$3); if (system(s) == 0) { print $$1; exitcode += 1 }; } \ + END { exit exitcode }' < $$vulnfile || ${FALSE}; \ + if ${TEST} "$$?" -ne 0; then \ + ${ERROR_MSG} "Define ALLOW_VULNERABLE_PACKAGES if this package is absolutely essential"; \ + ${FALSE}; \ fi +.endif -- cgit v1.2.3