Subject: Re: ALLOW_VULNERABLE_PACKAGES should be precise
To: None <>
From: Havard Eidnes <>
List: tech-pkg
Date: 08/26/2005 12:14:08
> Instead of define ALLOW_VULNERABLE_PACKAGES if this package is absolu=
tely =

> essential, we should require that it be set to the package name itsel=
> That way if someone chose to define ALLOW_VULNERABLE_PACKAGES for one=

> particular package they can't bypass the vulnerabilities warning in =

> another package.
> ALLOW_VULNERABLE_PACKAGES+=3D gcpio foo bar baz
> In fact, we could make it even more precise such as include version a=
nd =

> PKGREVISION such as:
> bmake ALLOW_VULNERABLE_PACKAGES=3Dgcpio-2.5nb1 install
> Thoughts?


To me that looks like you are forcing a pkgsrc user to jump
through even more hoops to have a package installed if some of
the packages it depends on are vulnerable.  Think of e.g.
netscape7 or acroread and the various linux emulation packages we
have in pkgsrc, and think of how long there have been known
vulnerabilities in either of these up through our history, and
think of the even longer time it would take for one of our
maintained branches to be updated.

Then there is the fact that there are differences between
vulnerabilities, and the actual risk exposure from having a
vulnerable package installed varies immensely and depend on
external factors.

Also, a sensible user will install the audit-packages package and
follow the instructions and create his own /etc/security.local,
so that the daily reports will contain the list of known
vulnerable installed packages.

I do agree that even though ALLOW_VULNERABLE_PACKAGES is set, a
warning should be given during the install of any recursively
pulled in packages.

However, I'm not sure I agree that removing this ability to say
"yes, I really would like this package and it's dependencies to
be installed, even if they might contain vulnerabilities" should
be removed, and turned into an iterative "whack a mole" process.
I think the latter would be a big turnoff for new users.


- H=E5vard