tech-pkg archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Switch vulnerable packages to a warning only
On Thu, May 21, 2020 at 06:46:38PM +0200, Joerg Sonnenberger wrote:
> On Thu, May 21, 2020 at 04:34:19PM +0000, coypu%sdf.org@localhost wrote:
> > It's somewhat unnecessary to have ALLW_VULNERABLE_PACKAGES?=yes (any
> > value except no, even empty, would do), but this is probably easier to
> > understand.
>
> It makes a difference whether auditing is done at all or if the result
> is ignored. Namely on whether the non-existance of the vulnerability
> file is an error. So if anything, it should be a trinary option (yes,
> no, warn).
I can't imagine a scenario (short of severely malfunctioning tools)
where someone would care about the difference between "no" and "warn".
Can you elaborate?
Also: my main reason for waiting with the change is the change of the
default (to non-fatal), I see this as a discussion of the implementation
details rather than an objection.
Home |
Main Index |
Thread Index |
Old Index