Subject: Re: CVS commit: pkgsrc/mk/bulk
To: None <>
From: Alistair Crooks <>
List: pkgsrc-changes
Date: 11/22/2005 00:41:41
On Mon, Nov 21, 2005 at 04:21:18PM -0600, wrote:
> On Mon, Nov 21, 2005 at 05:39:24PM +0000, Alistair Crooks wrote:
> > I really detest systems that tell me how I should behave, or what I
> > should think. For our bulk builds, we need to be able to specify
> > that we want to build packages which are vulnerable. I couldn't
> 	huh?  You can continue to use the all or nothing method, just with
> a different variable name.  I provided a better way to specify which
> vulnerabilities to ignore, if all you care about is getting one particular
> package installed.  You don't need to use that feature if you don't want to.

You have missed the point.  People do not know in advance which
vulnerability they are going to turn up when audit-packages is run -
it is a vehicle to warn them that an installed package is vulnerable.

Your changes make it necessary to run audit-packages twice - once to
encounter the vulnerability, an editing session with /etc/mk.conf
(which is the wrong place to be mucking around with things like this -
they would belong in audit-packages.conf if this had been thought
through), and then another run to spcify your vulnerability id.

You have sentenced an administrator to do this for every vulnerability
they encounter.  That is not the way most people run their networks,
and I believe that you should have considered this before the change
was made.

> > > 	It's not an additional setting.  It was just renamed.
> > > As far as I can tell, nothing in pkgsrc/mk currently, or previously
> > > set ALLOW_VULNERABLE_PACKAGES, so builds, bulk or otherwise, perform
> > > the audit-packages check.  To me, that seems like the proper default
> > > setting and the default for SKIP_AUDIT_PACKAGES is exactly the same.
> > 
> > Interesting - you modified a basic part of pkgsrc infrastructure and
> > didn't perform a bulk build - even a limited one with specific
> > packages?
> 	I thought I did, but apparently not the official way.  I had only
> performed limited bulk builds, and only by using the bulk-* targets directly,
> so I didn't realize that some packages (like pkg_install) get installed/updated
> automatically.  Every time I've done it had to install those by hand before
> runing "make bulk-package", so I figured the audit-packages pacakge was
> in the same category.

> 	Regardless of how the audit checks are disabled, it sounds like your
> change to include audit-packages in BULK_PREREQ should be put back in (if
> you backed it out already).  Running bulk builds with the security checks
> turned on should probably be supported, and you'd need that in the prereq
> list even without my changes.

Not so. Everything worked fine before your changes. I now find that I have
to have audit-packages installed, even if I am skipping the vulnerability
checks, or there is a complaint from the package tools that audit-packages
is down-level, and the package is flagged as broken.

Why do I have to jump through these hoops to support extra functionality
which I do not find that I need, and which actively hampers me from
getting work done?
> > You should have sent out an announcement after you got the go-ahead
> > from the package's maintainer (me) that you could make the changes.
> 	Yes, you're right.  Sorry.
> > You should also provide, as a matter of courtesy, clear instructions
> > on how to move from old ALLOW_VULNERABLE_PACKAGES to whatever the
> > equivalent new way of doing it is.
> How's this:
> If you want to ignore all security checks set this:

It's a good start, but it doesn't go far enough. Support for the deprecated
value would need to be kept until after the last pkgsrc branch.

Better still would be to check ALLOW_VULNERABLE_PACKAGES to be a wildcard,
i.e. if it was set, then SKIP_AUDIT_PACKAGES would automatically be set
to "yes".

But I am still unconvinced of the need for all this upheaval, and this is
(sadly) after the changes have been made.
> However, a better way would be to note the vulnerability id that is show
> when you try to build a package, or from the output of audit-packages,
> and set this instead:
> 	ALLOW_VULNERABILITIES.<pkgbase>+=<vulnid>
> Where <pkgbase> is the name of the package, without a version number and
> <vulnid> is the vulnerability id.
> This way you can build packages where you've decided that the vulnerability
> in question is something you're willing to deal with, without the risk
> of accidentally including a package with a vulnerability that you really
> do care about.

You seem to believe that everyone runs audit-packages the way that you are,
and I don't believe that that is the case.
> > FYI, I disagree with the vulnerability id - and I think there are
> > better ways to accomplish what you wanted to do. 
> well, I'm listening.  fwiw, two other ways I considered were:
> 1) using a line number in the vulnerbilities file.
> 	- seemed too fragile wrt otherwise inconsequential changes to that file.
> 	- harder to tell which line the vulnid corresponds to
> 2) using the url from the line in the vulnerabilities file
> 	- not guaranteed to be unique
> 	- less convenient to add to mk.conf
> 	- more quoting issues in audit-packages

Why do we need vulnerability ids? The URL has always been a fine way of
identifying vulnerabilities up until now.

Why should I allow one vulnerability to pass, and not others? What is
the point of finer-grained checking?
> > I would just note that pkgsrc is broken for me now as a bulk builder. 
> > You should either fix things so that old settings are respected, or
> > revert your changes until such time as backwards-compatible settings
> > are respected.
> Can you tell me what's wrong with setting this:
> Just exactly HOW is that broken?

Because existing configurations no longer work.

Because you have added new functionality without making people adequately
aware of it.

Because you have now forced people to install audit-packages at all times.

	[0:39:06] agc@sys3 ...pkgsrc/devel/intel-iscsi 5 > priv pkg_delete audit-packages
	[0:39:20] agc@sys3 ...pkgsrc/devel/intel-iscsi 6 > make install
	===> do-fetch [intel-iscsi-20040115nb2] ===> Checking for vulnerabilities in intel-iscsi-20040115nb2
	===> check-vulnerable [intel-iscsi-20040115nb2] ===> *** The audit-packages package must be at least version 1.40
	===> check-vulnerable [intel-iscsi-20040115nb2] ===> *** Please install the security/audit-packages package and run
	===> check-vulnerable [intel-iscsi-20040115nb2] ===> *** '/usr/pkg/sbin/download-vulnerability-list'.
	*** Error code 1

	make: stopped in /usr/pkgsrc/devel/intel-iscsi

You are forcing me to do things I don't want to do.