Subject: Re: CVS commit: pkgsrc/mk/bulk
To: None <firstname.lastname@example.org>
From: Alistair Crooks <email@example.com>
Date: 11/21/2005 17:39:24
On Mon, Nov 21, 2005 at 10:42:37AM -0600, firstname.lastname@example.org wrote:
> (appologies for any typos in quoted material, I pieced this together by hand)
> > On 11/20/2005 Krister Walfridsson wrote:
> > I definitely agree that you should not need to change you configuration
> > as a result of changes in the infrastructure. My annoyance was because
> The whole point of changing from ALLOW_VULNERABLE_PACKAGES is so you NEED
> to change your configuration and you need to explicitly think about
> which vulnerabilities you're going to allow. In this case I think it
> is entirely appropriate to need to change you configuration due to
> infrastructure changes.
> ALLOW_VULNERABLE_PACKAGES is replaced with ALLOW_VULNERABILITIES because
> blindly allowing _all_ vulerabilities is a generally a bad thing.
I really detest systems that tell me how I should behave, or what I
should think. For our bulk builds, we need to be able to specify
that we want to build packages which are vulnerable. I couldn't
really care whether you consider that a bad thing in general or
not, it's what we need. Please fix it as a matter of urgency.
> > On 11/20/2005 Allistair Crooks wrote:
> > I already have ALLOW_VULNERABLE_PACKAGES set in my /etc/mk.conf. That
> > should be a hint that I don't want audit-packages to be run on bulk
> > builds. Why do I have to set SKIP_AUDIT_PACKAGES as well?
> It's not an additional setting. It was just renamed.
> As far as I can tell, nothing in pkgsrc/mk currently, or previously
> set ALLOW_VULNERABLE_PACKAGES, so builds, bulk or otherwise, perform
> the audit-packages check. To me, that seems like the proper default
> setting and the default for SKIP_AUDIT_PACKAGES is exactly the same.
Interesting - you modified a basic part of pkgsrc infrastructure and
didn't perform a bulk build - even a limited one with specific
> I had figured, that with the number of messages about this
> (both on this list and on tech-pkg, where I originally posted my changes
> for review) people might notice that they would have to rename their
> ALLOW_VULNERABLE_PACKAGES variable to SKIP_AUDIT_PACKAGES. (and if not
> seen there, it's documented in mk/default/mk.conf and in the pkgsrc guide)
You should have sent out an announcement after you got the go-ahead
from the package's maintainer (me) that you could make the changes.
You should also provide, as a matter of courtesy, clear instructions
on how to move from old ALLOW_VULNERABLE_PACKAGES to whatever the
equivalent new way of doing it is.
FYI, I disagree with the vulnerability id - and I think there are
better ways to accomplish what you wanted to do.
I would just note that pkgsrc is broken for me now as a bulk builder.
You should either fix things so that old settings are respected, or
revert your changes until such time as backwards-compatible settings