Re: Switch vulnerable packages to a warning only

[coypu%sdf.org@localhost]

On Fri, May 22, 2020 at 07:35:14AM -0500, Jason Bacon wrote:
> On 2020-05-21 11:41, coypu%sdf.org@localhost wrote:
> > On Thu, May 21, 2020 at 12:39:09PM -0400, Greg Troxel wrote:
> > > coypu%sdf.org@localhost writes:
> > > 
> > > > Attached diff to make ALLOW_VULNERABLE_PACKAGES=no.
> > > > 
> > > > It's somewhat unnecessary to have ALLW_VULNERABLE_PACKAGES?=yes (any
> > > > value except no, even empty, would do), but this is probably easier to
> > > > understand.
> > > Thanks for taking my suggestion and this looks good to m.
> > Great. I'm going to let it sit for a few days so more people have an
> > opportunity to object, as I am changing the default behaviour.
> I think changing this is fine as long as there's always a way to make builds
> error out by default, even if that's not default behavior.  In most
> environments, I'm fine with allowing vulnerable packages, but there are two
> where I want the build to halt:
> 
> 1. My development trees, so I become aware of all vulnerabilities in
> dependencies
> 2. HPC clusters where I run services as root from a pkgsrc tree
> 
> Thanks for your work on this improvement.


I see. By the way, there's `pkg_admin audit` which is a probably less
annoying way of reporting that any installed packages are vulnerable.
This also helps with vulnerabilities discovered after the installation
of the package.