Subject: Re: Proposed audit-packages changes
To: Todd Vierling <firstname.lastname@example.org>
From: Johnny C. Lam <email@example.com>
Date: 11/22/2005 12:17:36
Todd Vierling wrote:
> On Tue, 22 Nov 2005, Johnny C. Lam wrote:
>>This last change is possibly controversial new behavior because it
>>matches neither the old nor the current behavior:
>>* "CHECK_VULNERABILITIES" defaults to "yes" only if the audit-packages
>> script can be found; otherwise, it defaults to "no". The purpose
>> of this change is to not force audit-packages to be installed.
>>The old behavior was that vulnerability checks were performed regardless
>>of whether audit-packages was installed or not. This was due to the
>>standalone implementation of the auditing code in the old
>>"check-vulnerable" target. The current behavior is that audit-packages
>>must be installed for pkgsrc to work, which again forces the vulnerability
>>checks to be performed. The proposed behavior is that we only perform
>>the checks if we can actually do so. This can be considered a weakening
>>of the security of pkgsrc, so we may not want to do this.
> audit-packages is an unreasonable forced dependency, so whatever behavior
> you choose, the default must not require its presence. This is not a
> "weakening", because this was already the prior behavior of pkgsrc.
But this isn't true, and I explained why in the paragraph you quoted
above -- bsd.pkg.mk's check-vulnerable target used to have have it's own
implementation of the audit-packages script hardcoded into the target.
That was how pkgsrc ran the vulnerability checks regardless of whether
audit-packages was installed. In my proposed change, if
CHECK_VULNERABILITIES is "yes" (the default), then audit-packages is
added as a build dependency.
Actually, I didn't do it entirely correctly because dependencies are
installed after the "fetch" target is run, so it would be possible to
sidestep the vulnerability check by removing audit-packages from your
system, then running "make" in a particular package's directory. I will
need to amend the check-vulnerable target to only run the audit if the
audit-packages script is detected, and also insert "check-vulnerable" as
an additional prerequisite just after dependencies are installed.
-- Johnny Lam <firstname.lastname@example.org>