Make the check-vulnerable target more self-sufficient, by moving some

of the logic from fetch/fetch.mk into flavor/pkg/check.mk, so that
check-vulnerable can be used as a source target.

Make check-vulnerable a source target for every phase of the build
workflow, which ensures that it is always run if the user starts a
new phase from the command line.

Fix the cookie-generation targets so that they don't append, only
overwrite to the cookie file.  This works around potential problems
due to recursive makes.

Move the cookie checks so that they surround the corresponding phase
target.  The presence of the cookie should now inform the make process
to avoid doing any processing of phases that occur before the phase
corresponding to the cookie.

mk/build/bsd.build.mk

@@ -1,4 +1,4 @@
-# $NetBSD: bsd.build.mk,v 1.1 2006/07/05 06:09:15 jlam Exp $
+# $NetBSD: bsd.build.mk,v 1.2 2006/07/05 09:08:35 jlam Exp $
 #
 # This Makefile fragment is included by bsd.pkg.mk and provides all
 # variables and targets related to building sources for a package.
@@ -40,4 +40,4 @@ build: configure build-cookie
 .PHONY: build-cookie
 build-cookie:
 	${_PKG_SILENT}${_PKG_DEBUG}${MKDIR} ${_BUILD_COOKIE:H}
-	${_PKG_SILENT}${_PKG_DEBUG}${ECHO} ${PKGNAME} >> ${_BUILD_COOKIE}
+	${_PKG_SILENT}${_PKG_DEBUG}${ECHO} ${PKGNAME} > ${_BUILD_COOKIE}

mk/build/build.mk

@@ -1,4 +1,4 @@
-# $NetBSD: build.mk,v 1.1 2006/07/05 06:09:15 jlam Exp $
+# $NetBSD: build.mk,v 1.2 2006/07/05 09:08:35 jlam Exp $
 #
 # BUILD_MAKE_FLAGS is the list of arguments that is passed to the make
 #	process.
@@ -14,6 +14,7 @@ BUILD_TARGET?=		all
 ######################################################################
 ### build is a public target to build the sources from the package.
 ###
+_BUILD_TARGETS+=	check-vulnerable
 _BUILD_TARGETS+=	configure
 _BUILD_TARGETS+=	acquire-build-lock
 _BUILD_TARGETS+=	${_BUILD_COOKIE}
@@ -22,20 +23,20 @@ _BUILD_TARGETS+=	pkginstall
 
 .PHONY: build
 .if !target(build)
+.  if !exists(${_BUILD_COOKIE})
 build: ${_BUILD_TARGETS}
+.  else
+build:
+	@${DO_NADA}
+.  endif
 .endif
 
 .PHONY: acquire-build-lock release-build-lock
 acquire-build-lock: acquire-lock
 release-build-lock: release-lock
 
-.if !exists(${_BUILD_COOKIE})
 ${_BUILD_COOKIE}:
 	${_PKG_SILENT}${_PKG_DEBUG}cd ${.CURDIR} && ${SETENV} ${BUILD_ENV} ${MAKE} ${MAKEFLAGS} real-build PKG_PHASE=build || ${PKG_ERROR_HANDLER.build}
-.else
-${_BUILD_COOKIE}:
-	@${DO_NADA}
-.endif
 
 PKG_ERROR_CLASSES+=	build
 PKG_ERROR_MSG.build=							\

mk/build/test.mk

@@ -1,4 +1,4 @@
-# $NetBSD: test.mk,v 1.1 2006/07/05 06:09:15 jlam Exp $
+# $NetBSD: test.mk,v 1.2 2006/07/05 09:08:35 jlam Exp $
 #
 # TEST_DIRS is the list of directories in which to perform the build
 #	process.  If the directories are relative paths, then they
@@ -19,6 +19,7 @@ TEST_MAKE_FLAGS?=	${MAKE_FLAGS}
 ######################################################################
 ### build is a public target to build the sources from the package.
 ###
+_TEST_TARGETS+=	check-vulnerable
 _TEST_TARGETS+=	build
 _TEST_TARGETS+=	acquire-test-lock
 _TEST_TARGETS+=	${_TEST_COOKIE}
@@ -120,4 +121,4 @@ post-test:
 .PHONY: test-cookie
 test-cookie:
 	${_PKG_SILENT}${_PKG_DEBUG}${MKDIR} ${_TEST_COOKIE:H}
-	${_PKG_SILENT}${_PKG_DEBUG}${ECHO} ${PKGNAME} >> ${_TEST_COOKIE}
+	${_PKG_SILENT}${_PKG_DEBUG}${ECHO} ${PKGNAME} > ${_TEST_COOKIE}

mk/check/check-vulnerable.mk

@@ -1,4 +1,4 @@
-# $NetBSD: check-vulnerable.mk,v 1.2 2006/06/05 22:49:44 jlam Exp $
+# $NetBSD: check-vulnerable.mk,v 1.3 2006/07/05 09:08:35 jlam Exp $
 
 ###########################################################################
 ### check-vulnerable (PRIVATE, override)
@@ -9,5 +9,9 @@
 .PHONY: check-vulnerable
 .if !target(check-vulnerable)
 check-vulnerable:
+.  if defined(ALLOW_VULNERABLE_PACKAGES)
+	@${DO_NADA}
+.  else
 	@${PHASE_MSG} "Skipping vulnerability checks."
+.  endif
 .endif

mk/configure/bsd.configure.mk

@@ -1,4 +1,4 @@
-# $NetBSD: bsd.configure.mk,v 1.1 2006/07/05 06:09:15 jlam Exp $
+# $NetBSD: bsd.configure.mk,v 1.2 2006/07/05 09:08:35 jlam Exp $
 #
 # This Makefile fragment is included by bsd.pkg.mk and provides all
 # variables and targets related to configuring packages for building.
@@ -36,4 +36,4 @@ configure: patch configure-cookie
 .PHONY: configure-cookie
 configure-cookie:
 	${_PKG_SILENT}${_PKG_DEBUG}${MKDIR} ${_CONFIGURE_COOKIE:H}
-	${_PKG_SILENT}${_PKG_DEBUG}${ECHO} ${PKGNAME} >> ${_CONFIGURE_COOKIE}
+	${_PKG_SILENT}${_PKG_DEBUG}${ECHO} ${PKGNAME} > ${_CONFIGURE_COOKIE}

mk/configure/configure.mk

@@ -1,4 +1,4 @@
-# $NetBSD: configure.mk,v 1.1 2006/07/05 06:09:15 jlam Exp $
+# $NetBSD: configure.mk,v 1.2 2006/07/05 09:08:35 jlam Exp $
 #
 # CONFIGURE_SCRIPT is the path to the script to run in order to
 #	configure the software for building.  If the path is relative,
@@ -40,27 +40,28 @@ BUILD_DEFS+=		CONFIGURE_ENV CONFIGURE_ARGS
 ######################################################################
 ### configure is a public target to configure the sources for building.
 ###
+_CONFIGURE_TARGETS+=	check-vulnerable
 _CONFIGURE_TARGETS+=	wrapper
 _CONFIGURE_TARGETS+=	acquire-configure-lock
 _CONFIGURE_TARGETS+=	${_CONFIGURE_COOKIE}
 _CONFIGURE_TARGETS+=	release-configure-lock
 
 .PHONY: configure
 .if !target(configure)
+.  if !exists(${_CONFIGURE_COOKIE})
 configure: ${_CONFIGURE_TARGETS}
+.  else
+configure:
+	@${DO_NADA}
+.  endif
 .endif
 
 .PHONY: acquire-configure-lock release-configure-lock
 acquire-configure-lock: acquire-lock
 release-configure-lock: release-lock
 
-.if !exists(${_CONFIGURE_COOKIE})
 ${_CONFIGURE_COOKIE}:
 	${_PKG_SILENT}${_PKG_DEBUG}cd ${.CURDIR} && ${SETENV} ${BUILD_ENV} ${MAKE} ${MAKEFLAGS} real-configure PKG_PHASE=configure || ${PKG_ERROR_HANDLER.configure}
-.else
-${_CONFIGURE_COOKIE}:
-	@${DO_NADA}
-.endif
 
 PKG_ERROR_CLASSES+=	configure
 PKG_ERROR_MSG.configure=						\

mk/depends/depends.mk

@@ -1,4 +1,4 @@
-# $NetBSD: depends.mk,v 1.7 2006/06/09 13:59:08 jlam Exp $
+# $NetBSD: depends.mk,v 1.8 2006/07/05 09:08:35 jlam Exp $
 
 ######################################################################
 ### depends (PUBLIC)
@@ -12,19 +12,19 @@ _DEPENDS_TARGETS+=	release-depends-lock
 
 .PHONY: depends
 .if !target(depends)
+.  if !exists(${_DEPENDS_COOKIE})
 depends: ${_DEPENDS_TARGETS}
+.  else
+depends:
+	@${DO_NADA}
+.  endif
 .endif
 
 .PHONY: acquire-depends-lock release-depends-lock
 acquire-depends-lock: acquire-lock
 release-depends-lock: release-lock
 
-.if !exists(${_DEPENDS_COOKIE})
 ${_DEPENDS_COOKIE}: real-depends
-.else
-${_DEPENDS_COOKIE}:
-	@${DO_NADA}
-.endif
 
 ######################################################################
 ### real-depends (PRIVATE)

mk/extract/extract.mk

@@ -1,4 +1,4 @@
-# $NetBSD: extract.mk,v 1.7 2006/06/09 13:59:08 jlam Exp $
+# $NetBSD: extract.mk,v 1.8 2006/07/05 09:08:35 jlam Exp $
 #
 # The following variables may be set by the package Makefile and
 # specify how extraction happens:
@@ -42,6 +42,7 @@ _EXTRACT_COOKIE=	${WRKDIR}/.extract_done
 ######################################################################
 ### extract is a public target to perform extraction.
 ###
+_EXTRACT_TARGETS+=	check-vulnerable
 _EXTRACT_TARGETS+=	checksum
 _EXTRACT_TARGETS+=	makedirs
 _EXTRACT_TARGETS+=	depends
@@ -52,19 +53,19 @@ _EXTRACT_TARGETS+=	release-extract-lock
 
 .PHONY: extract
 .if !target(extract)
+.  if !exists(${_EXTRACT_COOKIE})
 extract: ${_EXTRACT_TARGETS}
+.  else
+extract:
+	@${DO_NADA}
+.  endif
 .endif
 
 .PHONY: acquire-extract-lock release-extract-lock
 acquire-extract-lock: acquire-lock
 release-extract-lock: release-lock
 
-.if !exists(${_EXTRACT_COOKIE})
 ${_EXTRACT_COOKIE}: real-extract
-.else
-${_EXTRACT_COOKIE}:
-	@${DO_NADA}
-.endif
 
 ######################################################################
 ### real-extract (PRIVATE)
@@ -114,7 +115,7 @@ extract-check-interactive:
 .PHONY: extract-cookie
 extract-cookie:
 	${_PKG_SILENT}${_PKG_DEBUG}${MKDIR} ${_EXTRACT_COOKIE:H}
-	${_PKG_SILENT}${_PKG_DEBUG}${ECHO} ${PKGNAME} >> ${_EXTRACT_COOKIE}
+	${_PKG_SILENT}${_PKG_DEBUG}${ECHO} ${PKGNAME} > ${_EXTRACT_COOKIE}
 
 ######################################################################
 ### pre-extract, do-extract, post-extract (PUBLIC, override)

mk/fetch/fetch.mk

@@ -1,4 +1,4 @@
-# $NetBSD: fetch.mk,v 1.4 2006/06/20 14:54:03 jlam Exp $
+# $NetBSD: fetch.mk,v 1.5 2006/07/05 09:08:35 jlam Exp $
 
 ######################################################################
 ### fetch (PUBLIC)
@@ -8,7 +8,7 @@
 ###
 .PHONY: fetch
 .if !target(fetch)
-fetch: pre-fetch do-fetch post-fetch
+fetch: check-vulnerable pre-fetch do-fetch post-fetch
 .endif
 
 # If this host is behind a filtering firewall, use passive ftp(1)
@@ -262,24 +262,6 @@ batch-check-distfiles:
 .PHONY: do-fetch
 .if !target(do-fetch)
 do-fetch: ${FAILOVER_FETCH:Duptodate-digest}
-.  if !defined(ALLOW_VULNERABLE_PACKAGES)
-	${_PKG_SILENT}${_PKG_DEBUG}					\
-	if [ -f ${PKGVULNDIR}/pkg-vulnerabilities ]; then		\
-		${PHASE_MSG} "Checking for vulnerabilities in ${PKGNAME}"; \
-		vul=`${MAKE} ${MAKEFLAGS} check-vulnerable`;		\
-		case "$$vul" in						\
-		"")	;;						\
-		*)	${ECHO} "$$vul";				\
-			${ECHO} "or define ALLOW_VULNERABLE_PACKAGES if this package is absolutely essential"; \
-			${FALSE} ;;					\
-		esac;							\
-	else								\
-		${PHASE_MSG} "Skipping vulnerability checks.";		\
-		${WARNING_MSG} "No ${PKGVULNDIR}/pkg-vulnerabilities file found."; \
-		${WARNING_MSG} "To fix, install the pkgsrc/security/audit-packages"; \
-		${WARNING_MSG} "package and run: \`\`${LOCALBASE}/sbin/download-vulnerability-list''."; \
-	fi
-.  endif
 .  if !empty(_ALLFILES)
 	${_PKG_SILENT}${_PKG_DEBUG}					\
 	${TEST} -d ${_DISTDIR} || ${MKDIR} ${_DISTDIR}

mk/flavor/pkg/check.mk

@@ -1,4 +1,4 @@
-# $NetBSD: check.mk,v 1.1 2006/06/03 23:11:42 jlam Exp $
+# $NetBSD: check.mk,v 1.2 2006/07/05 09:08:35 jlam Exp $
 
 ######################################################################
 ### check-vulnerable (PUBLIC, pkgsrc/mk/check/check.mk)
@@ -12,16 +12,43 @@
 ###
 .PHONY: check-vulnerable
 check-vulnerable:
-	@if [ ! -z "${PKG_SYSCONFDIR.audit-packages}" -a -f ${PKG_SYSCONFDIR.audit-packages}/audit-packages.conf ]; then \
-		. ${PKG_SYSCONFDIR.audit-packages}/audit-packages.conf;	\
-	elif [ ! -z "${PKG_SYSCONFDIR}" -a -f ${PKG_SYSCONFDIR}/audit-packages.conf ]; then \
-		. ${PKG_SYSCONFDIR}/audit-packages.conf;		\
+.if defined(ALLOW_VULNERABLE_PACKAGES)
+	@${DO_NADA}
+.else
+	${_PKG_SILENT}${_PKG_DEBUG}					\
+	vulnfile=${PKGVULNDIR:Q}/pkg-vulnerabilities;			\
+	if ${TEST} ! -f "$$vulnfile"; then				\
+		${PHASE_MSG} "Skipping vulnerability checks.";		\
+		${WARNING_MSG} "No $$vulnfile file found.";		\
+		${WARNING_MSG} "To fix, install the pkgsrc/security/audit-packages"; \
+		${WARNING_MSG} "package and run: \`\`${LOCALBASE}/sbin/download-vulnerability-list''."; \
+		exit 0;							\
 	fi;								\
-	if [ -f ${PKGVULNDIR}/pkg-vulnerabilities ]; then		\
-		${SETENV} PKGNAME=${PKGNAME}				\
-			  PKGBASE=${PKGBASE}				\
-		${AWK} '/^$$/ { next }				\
-			/^#.*/ { next }				\
-			$$1 !~ ENVIRON["PKGBASE"] && $$1 !~ /\{/ { next } \
-			{ s = sprintf("${PKG_ADMIN} pmatch \"%s\" %s && ${ECHO} \"*** WARNING - %s vulnerability in %s - see %s for more information ***\"", $$1, ENVIRON["PKGNAME"], $$2, ENVIRON["PKGNAME"], $$3); system(s); }' < ${PKGVULNDIR}/pkg-vulnerabilities || ${FALSE}; \
+	${PHASE_MSG} "Checking for vulnerabilities in ${PKGNAME}";	\
+	conffile=;							\
+	for dir in							\
+		__dummy							\
+		${PKG_SYSCONFDIR.audit-packages:Q}""			\
+		${PKG_SYSCONFDIR:Q}"";					\
+	do								\
+		case $$dir in						\
+		/*)	conffile="$$dir/audit-packages.conf"; break ;;	\
+		*)	continue ;;					\
+		esac;							\
+	done;								\
+	if ${TEST} -z "$$conffile" -a -f "$$conffile"; then		\
+		. $$conffile;						\
+	fi;								\
+	${SETENV} PKGNAME=${PKGNAME}					\
+		  PKGBASE=${PKGBASE}					\
+	${AWK} 'BEGIN { exitcode = 0 }					\
+		/^$$/ { next }						\
+		/^#.*/ { next }						\
+		$$1 !~ ENVIRON["PKGBASE"] && $$1 !~ /\{/ { next }	\
+		{ s = sprintf("${PKG_ADMIN} pmatch \"%s\" %s && ${ERROR_MSG:S/"/\"/g} \"%s vulnerability in %s - see %s for more information\"", $$1, ENVIRON["PKGNAME"], $$2, ENVIRON["PKGNAME"], $$3); if (system(s) == 0) { print $$1; exitcode += 1 }; } \
+		END { exit exitcode }' < $$vulnfile || ${FALSE};	\
+	if ${TEST} "$$?" -ne 0; then					\
+		${ERROR_MSG} "Define ALLOW_VULNERABLE_PACKAGES if this package is absolutely essential"; \
+		${FALSE};						\
 	fi
+.endif

mk/install/bsd.install.mk

@@ -1,4 +1,4 @@
-# $NetBSD: bsd.install.mk,v 1.3 2006/06/06 00:25:26 jlam Exp $
+# $NetBSD: bsd.install.mk,v 1.4 2006/07/05 09:08:35 jlam Exp $
 #
 # This Makefile fragment is included by bsd.pkg.mk and provides all
 # variables and targets related to installing packages.
@@ -38,4 +38,4 @@ install: ${_PKGSRC_BUILD_TARGETS} install-cookie
 ###
 .PHONY: install-cookie
 install-cookie:
-	${_PKG_SILENT}${_PKG_DEBUG}${ECHO} ${PKGNAME} >> ${_INSTALL_COOKIE}
+	${_PKG_SILENT}${_PKG_DEBUG}${ECHO} ${PKGNAME} > ${_INSTALL_COOKIE}

mk/install/install.mk

@@ -1,32 +1,33 @@
-# $NetBSD: install.mk,v 1.8 2006/06/14 07:51:47 jlam Exp $
+# $NetBSD: install.mk,v 1.9 2006/07/05 09:08:35 jlam Exp $
 
 ######################################################################
 ### install (PUBLIC)
 ######################################################################
 ### install is a public target to install the package.  It will
 ### acquire elevated privileges just-in-time.
 ###
+_INSTALL_TARGETS+=	check-vulnerable
 _INSTALL_TARGETS+=	${_PKGSRC_BUILD_TARGETS}
 _INSTALL_TARGETS+=	acquire-install-lock
 _INSTALL_TARGETS+=	${_INSTALL_COOKIE}
 _INSTALL_TARGETS+=	release-install-lock
 
 .PHONY: install
 .if !target(install)
+.  if !exists(${_INSTALL_COOKIE})
 install: ${_INSTALL_TARGETS}
+.  else
+install:
+	@${DO_NADA}
+.  endif
 .endif
 
 .PHONY: acquire-install-lock release-install-lock
 acquire-install-lock: acquire-lock
 release-install-lock: release-lock
 
-.if !exists(${_INSTALL_COOKIE})
 ${_INSTALL_COOKIE}: install-check-interactive
 	${_PKG_SILENT}${_PKG_DEBUG}cd ${.CURDIR} && ${SETENV} ${BUILD_ENV} ${MAKE} ${MAKEFLAGS} real-install PKG_PHASE=install
-.else
-${_INSTALL_COOKIE}:
-	@${DO_NADA}
-.endif
 
 ######################################################################
 ### real-install (PRIVATE)