Subject: Re: ALLOW_VULNERABLE_PACKAGES should be precise
To: Havard Eidnes <email@example.com>
From: Dieter Baron <firstname.lastname@example.org>
Date: 08/26/2005 15:12:35
In article <email@example.com> Havard wrote:
: > Instead of define ALLOW_VULNERABLE_PACKAGES if this package is absolutely
: > essential, we should require that it be set to the package name itself.
: > That way if someone chose to define ALLOW_VULNERABLE_PACKAGES for one
: > particular package they can't bypass the vulnerabilities warning in
: > another package.
: > ALLOW_VULNERABLE_PACKAGES+= gcpio foo bar baz
: > In fact, we could make it even more precise such as include version and
: > PKGREVISION such as:
: > bmake ALLOW_VULNERABLE_PACKAGES=gcpio-2.5nb1 install
: > Thoughts?
: I do agree that even though ALLOW_VULNERABLE_PACKAGES is set, a
: warning should be given during the install of any recursively
: pulled in packages.
I absolutely agree.
: However, I'm not sure I agree that removing this ability to say
: "yes, I really would like this package and it's dependencies to
: be installed, even if they might contain vulnerabilities" should
: be removed, and turned into an iterative "whack a mole" process.
: I think the latter would be a big turnoff for new users.
Neither do I, but if
means allow all packages, your concern should be addressed, no?