Subject: Re: ALLOW_VULNERABLE_PACKAGES should be precise
To: Jeremy C. Reed <firstname.lastname@example.org>
From: Geert Hendrickx <email@example.com>
Date: 08/26/2005 10:00:19
On Fri, Aug 26, 2005 at 12:39:44AM -0700, Jeremy C. Reed wrote:
> Instead of define ALLOW_VULNERABLE_PACKAGES if this package is absolutely
> essential, we should require that it be set to the package name itself.
> That way if someone chose to define ALLOW_VULNERABLE_PACKAGES for one
> particular package they can't bypass the vulnerabilities warning in
> another package.
> ALLOW_VULNERABLE_PACKAGES+= gcpio foo bar baz
> In fact, we could make it even more precise such as include version and
> PKGREVISION such as:
> bmake ALLOW_VULNERABLE_PACKAGES=gcpio-2.5nb1 install
I think this is a good idea. About the version: it should allow >= that
version then. Say there are two vulns in a package, and an update fixes
one of them, then pkgsrc won't allow upgrading to it as it is still
vulnerable AND doesn't match the version specified in the ALLOW_VULNERABLE_
> (I wonder if anyone sets ALLOW_VULNERABLE_PACKAGES in their mk.conf...)
I do on some (non-production) systems. I only wish pkgsrc would still
print out a big fat warning when installing a vulnerable package, because
with ALLOW_VULNERABLE_PACKAGES set permanently, you don't even notice...