pkg/35091: make update erases packages before vulnerability check

[dholland%eecs.harvard.edu@localhost]

>Number:         35091
>Category:       pkg
>Synopsis:       make update erases packages before vulnerability check
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    pkg-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Wed Nov 22 04:30:00 +0000 2006
>Originator:     David A. Holland <dholland%eecs.harvard.edu@localhost>
>Release:        NetBSD 4.99.3 (pkgsrc of 20061120)
>Organization:
    Harvard EECS
>Environment:
System: NetBSD tanaqui 4.99.3 NetBSD 4.99.3 (TANAQUI) #6: Tue Oct 10 19:32:37 
EDT 2006 dholland@tanaqui:/usr/src/sys/arch/i386/compile/TANAQUI i386
Architecture: i386
Machine: i386
>Description:

If you do "make update" in a vulnerable package, it erases the package
first and then fails because of the vulnerability.

One can repeat with ALLOW_VULNERABLE_PACKAGES=1, so it's not a big
deal, but it can be a nuisance, especially if you do something like
"sleep 600; make update" and go off to lunch.

>How-To-Repeat:

Choose a package with an outstanding vul, build and install it with
ALLOW_VULNERABLE_PACKAGES=1, make clean, and then make update without
ALLOW_VULNERABLE_PACKAGES=1.

>Fix:

If I understand correctly it should be sufficient to add

${_PKG_SILENT}${_PKG_DEBUG}${RECURSIVE_MAKE} ${MAKEFLAGS} check-vulnerable

as the very first command for the update: rule in bsd.pkg.update.mk,
right before the similar invocation of update-create-ddir.

But I haven't actually tried this and I'm not a pkgsrc wizard.

(This won't stop it from erasing and not rebuilding descendent
packages, but that's an entirely different can of worms, and, I think,
less important.)