Subject: Re: ALLOW_VULNERABLE_PACKAGES should be precise
To: Jeremy C. Reed <>
From: Geert Hendrickx <>
List: tech-pkg
Date: 08/26/2005 10:00:19
On Fri, Aug 26, 2005 at 12:39:44AM -0700, Jeremy C. Reed wrote:
> Instead of define ALLOW_VULNERABLE_PACKAGES if this package is absolutely 
> essential, we should require that it be set to the package name itself.
> That way if someone chose to define ALLOW_VULNERABLE_PACKAGES for one 
> particular package they can't bypass the vulnerabilities warning in 
> another package.
> ALLOW_VULNERABLE_PACKAGES+= gcpio foo bar baz
> In fact, we could make it even more precise such as include version and 
> PKGREVISION such as:
> bmake ALLOW_VULNERABLE_PACKAGES=gcpio-2.5nb1 install
> Thoughts?

I think this is a good idea.  About the version: it should allow >= that
version then.  Say there are two vulns in a package, and an update fixes
one of them, then pkgsrc won't allow upgrading to it as it is still
vulnerable AND doesn't match the version specified in the ALLOW_VULNERABLE_
PACKAGES variable.  

> (I wonder if anyone sets ALLOW_VULNERABLE_PACKAGES in their mk.conf...)

I do on some (non-production) systems.  I only wish pkgsrc would still
print out a big fat warning when installing a vulnerable package, because
with ALLOW_VULNERABLE_PACKAGES set permanently, you don't even notice...