I wish there was a way to snooze particular `pkg audit` alerts. These particular issues are going to be long-term. I don't need to be told all the time.
Timeline
Post
Remote status
Context
4
@dvl something like:
pkg ack foo
acknowledge that package foo has a security issue and suppress further reporting from pkg audit (override with a flag), yeah, that would be really cool.
@nuintari I'm now thinking a 3rd-party app should be started.
It does the same thing as pkg-audit but has a separate snooze list (each entry being a port and a snooze time; hmm it could also be a VID and a snooze time).
Without knowing how pkg-audit does it:
for each installed package
do
if this package listed in the vuxml
then
if this VID is snoozed
then
next
fi
if this pkg version is vuln
include pkg and vuln in output
fi
fi
done
The code logic seems simple - again, without knowing how pkg-audit does it.
Write it, prove how useful it is, get user base, import into #FreeBSD.
I'm happy to help, but I don't want to start it.
Easy. ;)
Replies
2My personal preferences in descending order:
* base
* python/perl
* compiled
I have python/perl on all hosts.
Keep in might that pkg-audit can be run on a jail host and it inspects all the jails. I'd expect the new tool to be similar.
The list of stuff to ignore should be a host-by-host basis, I would expect. It might be the same on every host, but it might not be.
