NetBSD Problem Report #46538

From dholland@macaran.localdomain  Mon Jun  4 03:45:17 2012
Return-Path: <dholland@macaran.localdomain>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
	by www.NetBSD.org (Postfix) with ESMTP id 6BFA263BA27
	for <gnats-bugs@gnats.NetBSD.org>; Mon,  4 Jun 2012 03:45:17 +0000 (UTC)
Message-Id: <20120604034720.32FED6E220@macaran.localdomain>
Date: Sun,  3 Jun 2012 23:47:20 -0400 (EDT)
From: dholland@eecs.harvard.edu
Reply-To: dholland@eecs.harvard.edu
To: gnats-bugs@gnats.NetBSD.org
Subject: audit-packages results appear in arbitrary order
X-Send-Pr-Version: 3.95

>Number:         46538
>Category:       pkg
>Synopsis:       audit-packages results appear in arbitrary order
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Jun 04 03:50:01 +0000 2012
>Last-Modified:  Sun Jun 24 20:45:00 +0000 2012
>Originator:     David A. Holland
>Release:        NetBSD 6.99.3 (pkg_install 20120221)
>Organization:
>Environment:
System: NetBSD macaran 6.99.3 NetBSD 6.99.3 (MACARAN) #11: Mon Feb 27 17:12:40 EST 2012 dholland@macaran:/usr/src/sys/arch/amd64/compile/MACARAN amd64
Architecture: x86_64
Machine: amd64
>Description:

audit-packages prints results in arbitrary order, probably the result
of iterating a hash table or something.

It should either be sorted explicitly (probably by package name and
then url) or retain the ordering of the input file, which is pretty
much chronological.

Either way would help to avoid the problem where a new issue slips in
between long-existing unpatched issues and goes unnoticed, which a
number of people have commented on recently and I've long found
annoying.

>How-To-Repeat:

audit-packages on a system that hasn't been patched in a while.

>Fix:

dunno.

>Audit-Trail:
From: Steven Drake <sbd@NetBSD.org>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: pkg/46538: audit-packages results appear in arbitrary order
Date: Mon, 4 Jun 2012 19:16:25 +1200 (NZST)

 On Mon, 4 Jun 2012, dholland@eecs.harvard.edu wrote:

 > audit-packages prints results in arbitrary order, probably the result
 > of iterating a hash table or something.
 > 
 > It should either be sorted explicitly (probably by package name and
 > then url) or retain the ordering of the input file, which is pretty
 > much chronological.

 Try the below script, I find it very handy.

 -- 
 Steven

 #!/bin/sh
 PATH="/usr/pkg/sbin:/usr/pkg/bin:$PATH"

 PKGDB_DIR=/var/db/pkg
 LAST_VULNS=${PKGDB_DIR}/.last_vulns

 (
 echo "To: root"
 echo "Subject: pkgsrc security report for `uname -n`"
 echo

 TMP1=`mktemp`
 TMP2=`mktemp`

 trap 'rm -f $TMP1 $TMP2' EXIT

 echo "Checking package's installed files..."
 echo "-------------------------------------"
 pkg_admin -q check 2>&1
 echo ""

 pkg_admin fetch-pkg-vulnerabilities

 : >$TMP1
 pkg_admin audit | sort >$TMP1
 if [ -s $TMP1 ] ;then 
 	echo "Checking package vulnerabilities..."
 	echo "-----------------------------------"
 	if [ -s $LAST_VULNS ] ;then
 		comm -23 $TMP1 $LAST_VULNS >$TMP2
 		if [ -s $TMP2 ] ;then
 			echo "New vulnerabilities:"
 			cat $TMP2
 			echo ""
 		fi
 	fi
 	echo "All vulnerabilities:"
 	cat $TMP1
 	cat $TMP1 >$LAST_VULNS
 fi
 )| sendmail -t

From: David Holland <dholland-pbugs@netbsd.org>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: pkg/46538: audit-packages results appear in arbitrary order
Date: Sun, 24 Jun 2012 20:43:50 +0000

 On Mon, Jun 04, 2012 at 07:20:04AM +0000, Steven Drake wrote:
  >  On Mon, 4 Jun 2012, dholland@eecs.harvard.edu wrote:
  >  
  >  > audit-packages prints results in arbitrary order, probably the result
  >  > of iterating a hash table or something.
  >  > 
  >  > It should either be sorted explicitly (probably by package name and
  >  > then url) or retain the ordering of the input file, which is pretty
  >  > much chronological.
  >  
  >  Try the below script, I find it very handy.
  > [snip]

 Hrm. Something like that could go nicely into /etc/security, and that
 would certainly help with the visibility problem.

 audit-packages should still itself print in a sensible order though.

 -- 
 David A. Holland
 dholland@netbsd.org

Home	PR Database Search