tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Switch vulnerable packages to a warning only



> As someone who sets the variable, I am very sympathetic.  I think it's
> good to have the option to be strict, even if I'm not sure there are any
> actual people who use that.
> 
> So instead of your change above, how about
> 
> ALLOW_VULNERABLE_PACKAGES?=	yes
> 
> instead?  That would let people that want failures from this to set it
> to no.
> 
> Also perhaps separating the allow logic from the check logic, so that
> even with ALLOW_VULNERABLE_PACKAGES=yes, people would still get the
> warning.
> 
> 
> But perhaps there are no actual people who want this to be fatal, and
> it's not useful to accommodate those zero people.

Attached diff to make ALLOW_VULNERABLE_PACKAGES=no.

It's somewhat unnecessary to have ALLW_VULNERABLE_PACKAGES?=yes (any
value except no, even empty, would do), but this is probably easier to
understand.
Index: check/check-vulnerable.mk
===================================================================
RCS file: /cvsroot/pkgsrc/mk/check/check-vulnerable.mk,v
retrieving revision 1.5
diff -u -r1.5 check-vulnerable.mk
--- check/check-vulnerable.mk	15 Oct 2011 00:23:08 -0000	1.5
+++ check/check-vulnerable.mk	21 May 2020 16:32:26 -0000
@@ -6,13 +6,8 @@
 #	Checks for vulnerabilities in the package.
 #
 
-.if defined(ALLOW_VULNERABLE_PACKAGES)
-check-vulnerable: .PHONY
-	@${DO_NADA}
-.  else
 check-vulnerable: .PHONY _pkgformat-check-vulnerable
 	@${DO_NADA}
-.endif
 
 # A package format does not need to implement this target, so provide a
 # default implementation.
Index: defaults/mk.conf
===================================================================
RCS file: /cvsroot/pkgsrc/mk/defaults/mk.conf,v
retrieving revision 1.310
diff -u -r1.310 mk.conf
--- defaults/mk.conf	15 May 2020 10:22:42 -0000	1.310
+++ defaults/mk.conf	21 May 2020 16:32:26 -0000
@@ -31,8 +31,8 @@
 #ALLOW_VULNERABLE_PACKAGES=
 # allow the user to build packages which are known to be vulnerable to
 # security exploits
-# Possible: defined, not defined
-# Default: not defined
+# Possible: yes, no
+# Default: yes
 
 #AUDIT_PACKAGES_FLAGS=
 # List of flags passed to ``pkg_admin audit-pkg''.
Index: pkgformat/pkg/check.mk
===================================================================
RCS file: /cvsroot/pkgsrc/mk/pkgformat/pkg/check.mk,v
retrieving revision 1.1
diff -u -r1.1 check.mk
--- pkgformat/pkg/check.mk	15 Oct 2011 00:23:09 -0000	1.1
+++ pkgformat/pkg/check.mk	21 May 2020 16:32:26 -0000
@@ -5,6 +5,9 @@
 #	Checks for known vulnerabilities in the package if a vulnerability
 #	file exists.
 #
+
+ALLOW_VULNERABLE_PACKAGES?=	yes
+
 .if defined(NO_PKGTOOLS_REQD_CHECK)
 _pkgformat-check-vulnerable: .PHONY
 	${RUN}${DO_NADA}
@@ -19,7 +22,11 @@
 		${WARNING_MSG} "To fix run: \`${DOWNLOAD_VULN_LIST}'."; \
 		exit 0;						\
 	fi;							\
-	${PHASE_MSG} "Checking for vulnerabilities in ${PKGNAME}"; \
+	${PHASE_MSG} "Checking for vulnerabilities in ${PKGNAME}"
+.if !empty(ALLOW_VULNERABLE_PACKAGES:M[Nn][Oo])
 	${AUDIT_PACKAGES} ${_AUDIT_PACKAGES_CMD} ${AUDIT_PACKAGES_FLAGS} ${PKGNAME} \
 	|| ${FAIL_MSG} "Define ALLOW_VULNERABLE_PACKAGES in mk.conf or ${_AUDIT_CONFIG_OPTION} in ${_AUDIT_CONFIG_FILE}(5) if this package is absolutely essential."
+.else
+	${AUDIT_PACKAGES} ${_AUDIT_PACKAGES_CMD} ${AUDIT_PACKAGES_FLAGS} ${PKGNAME} || ${TRUE}
+.endif
 .endif


Home | Main Index | Thread Index | Old Index