 @@ -1,14 +1,14 @@
-<!-- $NetBSD: faq.xml,v 1.39 2008/01/04 15:53:41 rillig Exp $ -->
+<!-- $NetBSD: faq.xml,v 1.40 2008/03/04 02:39:37 jschauma Exp $ -->
 <chapter id="faq"> <?dbhtml filename="faq.html"?>
 <title>Frequently Asked Questions</title>
 <para>This section contains hints, tips &amp; tricks on special things in
 pkgsrc that we didn't find a better place for in the previous chapters, and
 it contains items for both pkgsrc users and developers.</para>
 <!-- ================================================================== -->
   <sect1 id="mailing-list-pointers">
     <title>Are there any mailing lists for pkg-related discussion?</title>
 @@ -499,57 +499,55 @@ reinstall any affected packages.
 </sect1>
 <!-- ================================================================== -->
 <sect1 id="audit-packages">
 <title>Automated security checks</title>
 <para>Please be aware that there can often be bugs in third-party software,
 and some of these bugs can leave a machine vulnerable to exploitation by
 attackers.  In an effort to lessen the exposure, the NetBSD packages team
 maintains a database of known-exploits to packages which have at one time
 been included in pkgsrc.  The database can be downloaded automatically, and
 a security audit of all packages installed on a system can take place.  To
-do this, install the <filename
+do this, refer to the following two tools (installed as part of the
-  role="pkg">security/audit-packages</filename> package.  It has two
+<filename role="pkg">pkgtools/pkg_install</filename> package):</para>
 components:</para>
 <orderedlist>
   <listitem>
     <para><command>download-vulnerability-list</command>, an easy way to
     download a list of the security vulnerabilities information.  This list
     is kept up to date by the NetBSD security officer and the NetBSD
     packages team, and is distributed from the NetBSD ftp server:</para>
     <para><ulink
     url="ftp://ftp.NetBSD.org/pub/NetBSD/packages/distfiles/pkg-vulnerabilities"/></para>
   </listitem>
   <listitem>
     <para><command>audit-packages</command>, an easy way to audit the
     current machine, checking each vulnerability which is known.  If a
     vulnerable package is installed, it will be shown by output to stdout,
     including a description of the type of vulnerability, and a URL
     containing more information.</para>
   </listitem>
 </orderedlist>
-<para>Use of the <filename role="pkg">security/audit-packages</filename>
+<para>Use of these tools is strongly recommended!  After
-package is strongly recommended!  After
+<quote>pkg_install</quote> is installed, please read
 <quote>audit-packages</quote> is installed, please read
 the package's message, which you can get by running <userinput>pkg_info -D
-audit-packages</userinput>.</para>
+pkg_install</userinput>.</para>
 <para>If this package is installed, pkgsrc builds will use it to
 perform a security check before building any package.  See <xref
 linkend="variables-affecting-build"/> for ways to control this
 check.</para>
 </sect1>
 <sect1 id="ufaq-cflags">
 <title>Why do some packages ignore my <varname>CFLAGS</varname>?</title>
 	<para>When you add your own preferences to the
 	<varname>CFLAGS</varname> variable in your

 @@ -1,14 +1,14 @@
-<!-- $NetBSD: using.xml,v 1.34 2008/01/04 15:53:41 rillig Exp $ -->
+<!-- $NetBSD: using.xml,v 1.35 2008/03/04 02:39:37 jschauma Exp $ -->
 <chapter id="using"> <?dbhtml filename="using.html"?>
 <title>Using pkgsrc</title>
 <para>Basically, there are two ways of using pkgsrc. The first
 is to only install the package tools and to use binary packages
 that someone else has prepared. This is the <quote>pkg</quote>
 in pkgsrc. The second way is to install the <quote>src</quote>
 of pkgsrc, too. Then you are able to build your own packages,
 and you can still use binary packages from someone else.</para>
 <sect1 id="using-pkg">
   <title>Using binary packages</title>
 @@ -89,30 +89,29 @@ and you can still use binary packages fr
 &rprompt; <userinput>pkg_add ap2-php5-*</userinput>
 </screen>
     <para>Note that any prerequisite packages needed to run the
     package in question will be installed, too, assuming they are
     present where you install from.</para>
     <para>As mentioned above, packages for which vulnerabilities get
     known are not stored in the <filename>All</filename> subdirectory.
     They don't get deleted since that could be very frustrating if many
     other packages depend on it. Instead, they are moved to the
     <filename>vulnerable</filename> subdirectory. So you may need to add
     this directory to the <varname>PKG_PATH</varname> variable.
-    However, you should run <filename
+    However, you should run <command>audit-packages</command>
-    role="pkg">security/audit-packages</filename> regularly, especially
+    regularly, especially after installing new packages, and verify
-    after installing new packages, and verify that the vulnerabilities
+    that the vulnerabilities are acceptable for your configuration.</para>
     are acceptable for your configuration.</para>
     <para>After you've installed packages, be sure to have
     <filename>/usr/pkg/bin</filename> and <filename>/usr/pkg/sbin</filename> in your
     <varname>PATH</varname> so you can actually start the just
     installed program.</para>
   </sect2>
   <sect2 id="using.pkg_delete">
     <title>Deinstalling packages</title>
     <para>To deinstall a package, it does not matter whether it was
     installed from source code or from a binary package. The
     <command>pkg_delete</command> command does not know it anyway.