# pkg audit vs. moved ports



## rihad (Jun 17, 2019)

When a FreeBSD port moves its origin from one to another, its security vulnerabilities will no longer be tracked. One example is editors/vim-lite, which no longer exists, its new name is editors/vim-console. Although vim has just recently had a CVE vulnerability, vim-lite will not be marked as vulnerable by pkg audit (and periodic daily emails based on its output). How can/should such cases be best spotted in a timely manner?


----------



## rihad (Jun 18, 2019)

In fact, for packages that have been moved `pkg upgrade` will not even offer an upgrade.


----------



## Minbari (Jun 18, 2019)

You are wrong. Once a package has been marked for deletion, the pkg marks it, also add an entry in /usr/ports/UPDATING file which you supposed to read every time before perform any update. After that it's the user/admin job to remove the package form the system.


----------



## rihad (Jun 18, 2019)

I knew about it, the MOVED file is of little relevance for someone who doesn't even have the ports tree, relying only on `pkg`. It should probably be noted somewhere that having the ports tree and keeping an eye on the UPDATING & MOVED files is still required, even if you don't build any of the ports yourself.


----------

