Re: Switch vulnerable packages to a warning only

[Greg Troxel <gdt%lexort.com@localhost>]

coypu%sdf.org@localhost writes:

> Over time, more packages, and more essential packages are considered
> vulnerable. Unfortunately this makes users suffer unnecessarily for
> fetching the package vulnerability database.
>
> I assume most people who ran "pkg_admin fetch-pkg-vulnerabilities" have
> immediately had to add ALLOW_VULNERABLE_PACKAGES=yes to mk.conf
>
> So, I am proposing a user-friendliness step of only warning about
> vulnerable packages by default.
>
> Thoughts?
>
> Index: pkgformat/pkg/check.mk
> ===================================================================
> RCS file: /cvsroot/pkgsrc/mk/pkgformat/pkg/check.mk,v
> retrieving revision 1.1
> diff -u -r1.1 check.mk
> --- pkgformat/pkg/check.mk	15 Oct 2011 00:23:09 -0000	1.1
> +++ pkgformat/pkg/check.mk	21 May 2020 15:56:15 -0000
> @@ -20,6 +20,5 @@
>  		exit 0;						\
>  	fi;							\
>  	${PHASE_MSG} "Checking for vulnerabilities in ${PKGNAME}"; \
> -	${AUDIT_PACKAGES} ${_AUDIT_PACKAGES_CMD} ${AUDIT_PACKAGES_FLAGS} ${PKGNAME} \
> -	|| ${FAIL_MSG} "Define ALLOW_VULNERABLE_PACKAGES in mk.conf or ${_AUDIT_CONFIG_OPTION} in ${_AUDIT_CONFIG_FILE}(5) if this package is absolutely essential."
> +	${AUDIT_PACKAGES} ${_AUDIT_PACKAGES_CMD} ${AUDIT_PACKAGES_FLAGS} ${PKGNAME} || ${TRUE}
>  .endif

As someone who sets the variable, I am very sympathetic.  I think it's
good to have the option to be strict, even if I'm not sure there are any
actual people who use that.

So instead of your change above, how about

ALLOW_VULNERABLE_PACKAGES?=	yes

instead?  That would let people that want failures from this to set it
to no.

Also perhaps separating the allow logic from the check logic, so that
even with ALLOW_VULNERABLE_PACKAGES=yes, people would still get the
warning.


But perhaps there are no actual people who want this to be fatal, and
it's not useful to accommodate those zero people.