Subject: Re: Proposed audit-packages changes
To: Johnny C. Lam <>
From: Todd Vierling <>
List: tech-pkg
Date: 11/22/2005 12:41:44
On Tue, 22 Nov 2005, Johnny C. Lam wrote:

> > audit-packages is an unreasonable forced dependency, so whatever behavior
> > you choose, the default must not require its presence.  This is not a
> > "weakening", because this was already the prior behavior of pkgsrc.
> But this isn't true, and I explained why in the paragraph you quoted above --
>'s check-vulnerable target used to have have it's own implementation
> of the audit-packages script hardcoded into the target. That was how pkgsrc
> ran the vulnerability checks regardless of whether audit-packages was
> installed.  In my proposed change, if CHECK_VULNERABILITIES is "yes" (the
> default), then audit-packages is added as a build dependency.

Actually, with neither audit-packages nor a vulnerabilities file on disk,
pkgsrc worked *just fine* (albeit with warnings).  Going back to this
behavior by default is as much of a "weakening" of pkgsrc security as a
reversion of recent irresponsible tax cuts is a tax "hike".

The default should require neither of audit-packages nor
pkg-vulnerabilities.  Have it yell and scream all you want like it did
previously, but building must not fail by default if these are not present.

-- Todd Vierling <> <> <>