pkg audit vs. moved ports

R

rihad

When a FreeBSD port moves its origin from one to another, its security vulnerabilities will no longer be tracked. One example is editors/vim-lite, which no longer exists, its new name is editors/vim-console. Although vim has just recently had a CVE vulnerability, vim-lite will not be marked as vulnerable by pkg audit (and periodic daily emails based on its output). How can/should such cases be best spotted in a timely manner?
 
You are wrong. Once a package has been marked for deletion, the pkg marks it, also add an entry in /usr/ports/UPDATING file which you supposed to read every time before perform any update. After that it's the user/admin job to remove the package form the system.
 
I knew about it, the MOVED file is of little relevance for someone who doesn't even have the ports tree, relying only on pkg. It should probably be noted somewhere that having the ports tree and keeping an eye on the UPDATING & MOVED files is still required, even if you don't build any of the ports yourself.
 
You must log in or register to reply here.
Back
Top