Subject: pkg/35091: make update erases packages before vulnerability check
To: None <,,>
From: None <>
List: pkgsrc-bugs
Date: 11/22/2006 04:30:00
>Number:         35091
>Category:       pkg
>Synopsis:       make update erases packages before vulnerability check
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    pkg-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Wed Nov 22 04:30:00 +0000 2006
>Originator:     David A. Holland <>
>Release:        NetBSD 4.99.3 (pkgsrc of 20061120)
    Harvard EECS
System: NetBSD tanaqui 4.99.3 NetBSD 4.99.3 (TANAQUI) #6: Tue Oct 10 19:32:37 EDT 2006 dholland@tanaqui:/usr/src/sys/arch/i386/compile/TANAQUI i386
Architecture: i386
Machine: i386

If you do "make update" in a vulnerable package, it erases the package
first and then fails because of the vulnerability.

One can repeat with ALLOW_VULNERABLE_PACKAGES=1, so it's not a big
deal, but it can be a nuisance, especially if you do something like
"sleep 600; make update" and go off to lunch.


Choose a package with an outstanding vul, build and install it with
ALLOW_VULNERABLE_PACKAGES=1, make clean, and then make update without


If I understand correctly it should be sufficient to add


as the very first command for the update: rule in,
right before the similar invocation of update-create-ddir.

But I haven't actually tried this and I'm not a pkgsrc wizard.

(This won't stop it from erasing and not rebuilding descendent
packages, but that's an entirely different can of worms, and, I think,
less important.)