Subject: Re: ALLOW_VULNERABLE_PACKAGES should be precise
To: Havard Eidnes <>
From: Dieter Baron <>
List: tech-pkg
Date: 08/26/2005 15:12:35
In article <> Havard wrote:
: > Instead of define ALLOW_VULNERABLE_PACKAGES if this package is absolutely 
: > essential, we should require that it be set to the package name itself.
: >
: > That way if someone chose to define ALLOW_VULNERABLE_PACKAGES for one 
: > particular package they can't bypass the vulnerabilities warning in 
: > another package.
: >
: > ALLOW_VULNERABLE_PACKAGES+= gcpio foo bar baz
: >
: > In fact, we could make it even more precise such as include version and 
: > PKGREVISION such as:
: >
: > bmake ALLOW_VULNERABLE_PACKAGES=gcpio-2.5nb1 install
: >
: > Thoughts?

: I do agree that even though ALLOW_VULNERABLE_PACKAGES is set, a
: warning should be given during the install of any recursively
: pulled in packages.

  I absolutely agree.

: However, I'm not sure I agree that removing this ability to say
: "yes, I really would like this package and it's dependencies to
: be installed, even if they might contain vulnerabilities" should
: be removed, and turned into an iterative "whack a mole" process.
: I think the latter would be a big turnoff for new users.

  Neither do I, but if
means allow all packages, your concern should be addressed, no?