On Fri, 26 Aug 2005, Geert Hendrickx wrote:
> > In fact, we could make it even more precise such as include version and 
> > PKGREVISION such as:
> >
> > bmake ALLOW_VULNERABLE_PACKAGES=gcpio-2.5nb1 install
> 
> I think this is a good idea.  About the version: it should allow >= that
> version then.

It should allow exactly what you specify (but I have no objection to
the syntax being flexible enough to express inequality or wildcard
matching).

Suppose that foo-1.2 is marked as having vulnerability A.  I
research the implications of vulnerability A in foo-1.2, and
decide that, in my environment, the risk is acceptable.  So I set
ALLOW_VULNERABLE_PACKAGES+=foo-1.2, and install the package.  Then
foo-1.3 comes out, with a fix for the original vulnerability A.  Then
foo-1.4 comes out, with some new features and new bugs.  Then a new
vulnerability B is found in foo-1.4.  I haven't yet decided for myself
whether vulnerability B in foo-1.4 is such that I want to install it
anyway, and I certainly don't want pkgsrc to imagine that, when I
authorised the foo-1.2 pkg to be installed despite the presence of
vulnerability A, I was also authorising the foo-1.4 pkg to be installed
despite the presence of vulnerability B.

Actually, I'd like to have control at the per-vulnerability level, not
the per-package level.  Imagine a scenario very much like the above,
but where vulnerabilities A and B exist in the same version of the
package, but are discovered at different times.  After vulnerability A
is discovered, I decide I want to use the package anyway, so it would
be nice if if I could say "Allow the foo-1.2 package to be installed
despite vulnerability A", or "Allow any package matching foo>=1.2<2.0 to
be installed despite vulnerability A".  Then, later, when vulnerability
B is found in the same foo-1.2 package, it would be nice if pkgsrc would
know that it was not authorised to ignore vulnerability B.

--apb (Alan Barrett)