Subject: Re: ALLOW_VULNERABLE_PACKAGES should be precise
To: None <>
From: Gavan Fantom <>
List: tech-pkg
Date: 08/26/2005 11:27:53
Geert Hendrickx wrote:
> I think this is a good idea.  About the version: it should allow >= that
> version then.  Say there are two vulns in a package, and an update fixes
> one of them, then pkgsrc won't allow upgrading to it as it is still
> vulnerable AND doesn't match the version specified in the ALLOW_VULNERABLE_
> PACKAGES variable.  

I would very much like to see the ability to set just the package name, 
without having to specify versions.

Even if that means saying "apache-*".

>>(I wonder if anyone sets ALLOW_VULNERABLE_PACKAGES in their mk.conf...)
> I do on some (non-production) systems.  I only wish pkgsrc would still
> print out a big fat warning when installing a vulnerable package, because
> with ALLOW_VULNERABLE_PACKAGES set permanently, you don't even notice...  

I would set it in mk.conf for specific packages, but I wouldn't want to 
set it for all packages.

Gillette - the best a man can forget