pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/mk Improve the handling of allowed vulnerabilities. I...
details: https://anonhg.NetBSD.org/pkgsrc/rev/fe71cc877f9f
branches: trunk
changeset: 503232:fe71cc877f9f
user: erh <erh%pkgsrc.org@localhost>
date: Wed Nov 16 20:59:22 2005 +0000
description:
Improve the handling of allowed vulnerabilities. Instead of the single
ALLOW_VULNERABLE_PACKAGES settings that applies to all packages, there can
now be per-package lists of allowed vulnerability ids:
ALLOW_VULNERABILITIES.<pkgname>=<space separated list of vulnids>
To avoid duplication of code, audit-packages is now used to do these checks.
It can be skipped altogether by setting:
SKIP_AUDIT_PACKAGES=yes
diffstat:
mk/bsd.pkg.mk | 48 ++++++++++++++++++++++++++++++------------------
mk/bsd.prefs.mk | 4 +++-
mk/defaults/mk.conf | 18 +++++++++++++-----
3 files changed, 46 insertions(+), 24 deletions(-)
diffs (140 lines):
diff -r c73410c80aea -r fe71cc877f9f mk/bsd.pkg.mk
--- a/mk/bsd.pkg.mk Wed Nov 16 20:49:21 2005 +0000
+++ b/mk/bsd.pkg.mk Wed Nov 16 20:59:22 2005 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: bsd.pkg.mk,v 1.1751 2005/11/15 21:21:01 rillig Exp $
+# $NetBSD: bsd.pkg.mk,v 1.1752 2005/11/16 20:59:22 erh Exp $
#
# This file is in the public domain.
#
@@ -1363,35 +1363,45 @@
esac
# check for any vulnerabilities in the package
-# Please do not modify the leading "@" here
+
+_AUDIT_PACKAGES_MIN_VERSION=0.40
+_AUDIT_PACKAGES_OK!= ${PKG_INFO} -qe 'audit-packages>=${AUDIT_PACKAGES_MIN_VERSION}' ; echo $$?
+
+# Note: _any_ output from check-vulnerable is considered an error by do-fetch.
.PHONY: check-vulnerable
check-vulnerable:
- @if [ ! -z "${PKG_SYSCONFDIR.audit-packages}" -a -f ${PKG_SYSCONFDIR.audit-packages}/audit-packages.conf ]; then \
- . ${PKG_SYSCONFDIR.audit-packages}/audit-packages.conf; \
- elif [ ! -z "${PKG_SYSCONFDIR}" -a -f ${PKG_SYSCONFDIR}/audit-packages.conf ]; then \
- . ${PKG_SYSCONFDIR}/audit-packages.conf; \
- fi; \
- if [ -f ${PKGVULNDIR}/pkg-vulnerabilities ]; then \
- ${SETENV} PKGNAME=${PKGNAME:Q} \
- PKGBASE=${PKGBASE:Q} \
- ${AWK} '/^$$/ { next } \
- /^#.*/ { next } \
- $$1 !~ ENVIRON["PKGBASE"] && $$1 !~ /\{/ { next } \
- { s = sprintf("${PKG_ADMIN} pmatch \"%s\" %s && ${ECHO} \"*** WARNING - %s vulnerability in %s - see %s for more information ***\"", $$1, ENVIRON["PKGNAME"], $$2,
ENVIRON["PKGNAME"], $$3); system(s); }' < ${PKGVULNDIR}/pkg-vulnerabilities || ${FALSE}; \
- fi
+.if empty(AUDIT_PACKAGES_OK:M0)
+ @${ECHO_MSG} "${_PKGSRC_IN}> *** The audit-packages package must be at least version ${AUDIT_PACKAGES_MIN_VERSION}"
+ @${ECHO_MSG} "${_PKGSRC_IN}> *** Please install pkgsrc/security/audit-packages package and run";
+ @${ECHO_MSG} "${_PKGSRC_IN}> *** '${LOCALBASE}/sbin/download-vulnerability-list'.";
+ @false
+.else
+ @${AUDIT_PACKAGES} -i ""${ALLOW_VULNERABILITIES.${PKGBASE}:Q} -p ${PKGNAME:Q}
+.endif
+
+
+.if defined(ALLOW_VULNERABILITIES.${PKGBASE})
+_ALLOW_VULNERABILITIES=${ALLOW_VULNERABILITIES.${PKGBASE}}
+.else
+_ALLOW_VULNERABILITIES=#none
+.endif
.PHONY: do-fetch
.if !target(do-fetch)
do-fetch:
-. if !defined(ALLOW_VULNERABLE_PACKAGES)
+. if empty(SKIP_AUDIT_PACKAGES:M[Yy][Ee][Ss]) && empty(_ALLOW_VULNERABILITIES:M[Yy][Ee][Ss])
${_PKG_SILENT}${_PKG_DEBUG} \
if [ -f ${PKGVULNDIR}/pkg-vulnerabilities ]; then \
${ECHO_MSG} "${_PKGSRC_IN}> Checking for vulnerabilities in ${PKGNAME}"; \
vul=`${MAKE} ${MAKEFLAGS} check-vulnerable`; \
case "$$vul" in \
"") ;; \
- *) ${ECHO} "$$vul"; \
- ${ECHO} "or define ALLOW_VULNERABLE_PACKAGES if this package is absolutely essential"; \
+ *) vulnids=`echo "$$vul" | sed -e's/.*vulnid:\\([[:digit:]]*\\).*/\\1/'`; \
+ ${ECHO} "$$vul"; \
+ ${ECHO} "or if this package is absolutely essential, add this to mk.conf:"; \
+ for vulnid in $$vulnids ; do \
+ ${ECHO} " ALLOW_VULNERABILITIES.${PKGBASE}+=$$vulnid"; \
+ done ; \
${FALSE} ;; \
esac; \
else \
@@ -1400,6 +1410,8 @@
${ECHO_MSG} "${_PKGSRC_IN}> *** the pkgsrc/security/audit-packages package and run"; \
${ECHO_MSG} "${_PKGSRC_IN}> *** '${LOCALBASE}/sbin/download-vulnerability-list'."; \
fi
+. else
+ @${ECHO_MSG} "${_PKGSRC_IN}> *** Skipping vulnerability checks for ${PKGNAME}"
. endif
. if !empty(_ALLFILES)
${_PKG_SILENT}${_PKG_DEBUG} \
diff -r c73410c80aea -r fe71cc877f9f mk/bsd.prefs.mk
--- a/mk/bsd.prefs.mk Wed Nov 16 20:49:21 2005 +0000
+++ b/mk/bsd.prefs.mk Wed Nov 16 20:59:22 2005 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: bsd.prefs.mk,v 1.209 2005/11/14 04:51:47 rillig Exp $
+# $NetBSD: bsd.prefs.mk,v 1.210 2005/11/16 20:59:23 erh Exp $
#
# Make file, included to get the site preferences, if any. Should
# only be included by package Makefiles before any .if defined()
@@ -497,6 +497,7 @@
PKG_INFO_CMD?= ${PKG_TOOLS_BIN}/pkg_info
PKG_VIEW_CMD?= ${PKG_TOOLS_BIN}/pkg_view
LINKFARM_CMD?= ${PKG_TOOLS_BIN}/linkfarm
+AUDIT_PACKAGES_CMD?= ${LOCALBASE}/sbin/audit-packages
.if !defined(PKGTOOLS_VERSION)
PKGTOOLS_VERSION!= ${PKG_INFO_CMD} -V 2>/dev/null || echo 20010302
@@ -527,6 +528,7 @@
PKG_INFO?= ${PKGTOOLS_ENV} ${PKG_INFO_CMD} ${PKGTOOLS_ARGS}
PKG_VIEW?= ${PKGTOOLS_ENV} ${PKG_VIEW_CMD} ${PKG_VIEW_ARGS}
LINKFARM?= ${LINKFARM_CMD}
+AUDIT_PACKAGES?= ${PKGTOOLS_ENV} ${AUDIT_PACKAGES_CMD} ${PKGTOOLS_ARGS}
# "${PKG_BEST_EXISTS} pkgpattern" prints out the name of the installed
# package that best matches pkgpattern. Use this instead of
diff -r c73410c80aea -r fe71cc877f9f mk/defaults/mk.conf
--- a/mk/defaults/mk.conf Wed Nov 16 20:49:21 2005 +0000
+++ b/mk/defaults/mk.conf Wed Nov 16 20:59:22 2005 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: mk.conf,v 1.91 2005/11/15 12:54:36 tonio Exp $
+# $NetBSD: mk.conf,v 1.92 2005/11/16 20:59:23 erh Exp $
#
# This file provides default values for variables that may be overridden
@@ -14,12 +14,20 @@
# NOTE TO PEOPLE EDITING THIS FILE - USE LEADING SPACES, NOT LEADING TABS.
# ************************************************************************
-#ALLOW_VULNERABLE_PACKAGES=
-# allow the user to build packages which are known to be vulnerable to
-# security exploits
-# Possible: defined, not defined
+#ALLOW_VULNERABILITIES.<pkgname>=
+# List of vulnerability ids to ignore when performing audit-packages
+# check when building a package.
+# Possible: one or more vulnerabilities ids,
+# or the word "yes" to allow all. (not recommended)
# Default: not defined
+SKIP_AUDIT_PACKAGES=no
+# Completely skip running audit-packages to check for vulnerable packages.
+# Specifying individual vulnerabilities with
+# ALLOW_VULNERABILITIES.<pkgname>=<vulnid> is preferred to using this.
+# Possible: yes, no
+# Default: no
+
MANINSTALL?= maninstall catinstall
# Specify manpage installation types.
# Possible: maninstall, catinstall, both types or empty
Home |
Main Index |
Thread Index |
Old Index