Subject: Re: Proposed audit-packages changes
To: Johnny C. Lam <firstname.lastname@example.org>
From: Todd Vierling <email@example.com>
Date: 11/22/2005 12:41:44
On Tue, 22 Nov 2005, Johnny C. Lam wrote:
> > audit-packages is an unreasonable forced dependency, so whatever behavior
> > you choose, the default must not require its presence. This is not a
> > "weakening", because this was already the prior behavior of pkgsrc.
> But this isn't true, and I explained why in the paragraph you quoted above --
> bsd.pkg.mk's check-vulnerable target used to have have it's own implementation
> of the audit-packages script hardcoded into the target. That was how pkgsrc
> ran the vulnerability checks regardless of whether audit-packages was
> installed. In my proposed change, if CHECK_VULNERABILITIES is "yes" (the
> default), then audit-packages is added as a build dependency.
Actually, with neither audit-packages nor a vulnerabilities file on disk,
pkgsrc worked *just fine* (albeit with warnings). Going back to this
behavior by default is as much of a "weakening" of pkgsrc security as a
reversion of recent irresponsible tax cuts is a tax "hike".
The default should require neither of audit-packages nor
pkg-vulnerabilities. Have it yell and scream all you want like it did
previously, but building must not fail by default if these are not present.
-- Todd Vierling <firstname.lastname@example.org> <email@example.com> <firstname.lastname@example.org>