Re: Switch vulnerable packages to a warning only

To: tech-pkg%netbsd.org@localhost
Subject: Re: Switch vulnerable packages to a warning only
From: maya%NetBSD.org@localhost
Date: Fri, 22 May 2020 22:46:00 +0000

On Thu, May 21, 2020 at 06:46:38PM +0200, Joerg Sonnenberger wrote:
> On Thu, May 21, 2020 at 04:34:19PM +0000, coypu%sdf.org@localhost wrote:
> > It's somewhat unnecessary to have ALLW_VULNERABLE_PACKAGES?=yes (any
> > value except no, even empty, would do), but this is probably easier to
> > understand.
> 
> It makes a difference whether auditing is done at all or if the result
> is ignored. Namely on whether the non-existance of the vulnerability
> file is an error. So if anything, it should be a trinary option (yes,
> no, warn).

I can't imagine a scenario (short of severely malfunctioning tools)
where someone would care about the difference between "no" and "warn".

Can you elaborate?

Also: my main reason for waiting with the change is the change of the
default (to non-fatal), I see this as a discussion of the implementation
details rather than an objection.

Follow-Ups:
- Re: Switch vulnerable packages to a warning only
  - From: Joerg Sonnenberger

References:
- Switch vulnerable packages to a warning only
  - From: coypu
- Re: Switch vulnerable packages to a warning only
  - From: Greg Troxel
- Re: Switch vulnerable packages to a warning only
  - From: coypu
- Re: Switch vulnerable packages to a warning only
  - From: Joerg Sonnenberger

Prev by Date: Re: enabling WebRTC by default in firefox
Next by Date: Re: Providing an easy additional way of avoiding uploading non-redistributable packages
Previous by Thread: Re: Switch vulnerable packages to a warning only
Next by Thread: Re: Switch vulnerable packages to a warning only
Indexes:

Home | Main Index | Thread Index | Old Index