On 2020-05-21 11:41, coypu%sdf.org@localhost wrote:
I think changing this is fine as long as there's always a way to make builds error out by default, even if that's not default behavior. In most environments, I'm fine with allowing vulnerable packages, but there are two where I want the build to halt:On Thu, May 21, 2020 at 12:39:09PM -0400, Greg Troxel wrote:coypu%sdf.org@localhost writes:Attached diff to make ALLOW_VULNERABLE_PACKAGES=no. It's somewhat unnecessary to have ALLW_VULNERABLE_PACKAGES?=yes (any value except no, even empty, would do), but this is probably easier to understand.Thanks for taking my suggestion and this looks good to m.Great. I'm going to let it sit for a few days so more people have an opportunity to object, as I am changing the default behaviour.
1. My development trees, so I become aware of all vulnerabilities in dependencies
2. HPC clusters where I run services as root from a pkgsrc tree Thanks for your work on this improvement. JB