Re: Switch vulnerable packages to a warning only

To: tech-pkg%netbsd.org@localhost
Subject: Re: Switch vulnerable packages to a warning only
From: maya%NetBSD.org@localhost
Date: Sat, 23 May 2020 00:15:55 +0000

On Sat, May 23, 2020 at 01:28:47AM +0200, Joerg Sonnenberger wrote:
> On Fri, May 22, 2020 at 10:46:00PM +0000, maya%NetBSD.org@localhost wrote:
> > On Thu, May 21, 2020 at 06:46:38PM +0200, Joerg Sonnenberger wrote:
> > > On Thu, May 21, 2020 at 04:34:19PM +0000, coypu%sdf.org@localhost wrote:
> > > > It's somewhat unnecessary to have ALLW_VULNERABLE_PACKAGES?=yes (any
> > > > value except no, even empty, would do), but this is probably easier to
> > > > understand.
> > > 
> > > It makes a difference whether auditing is done at all or if the result
> > > is ignored. Namely on whether the non-existance of the vulnerability
> > > file is an error. So if anything, it should be a trinary option (yes,
> > > no, warn).
> > 
> > I can't imagine a scenario (short of severely malfunctioning tools)
> > where someone would care about the difference between "no" and "warn".
> 
> If set to no, it shouldn't complain about missing vulnerability file.
> That's just not helpful at all. If set to warn, it certainly should
> complain (or maybe even fail). If set to yes, it most definitely should
> fail.
> 
> > Also: my main reason for waiting with the change is the change of the
> > default (to non-fatal), I see this as a discussion of the implementation
> > details rather than an objection.
> 
> I don't care too much of the default value here.
> 
> Joerg

This was an unintended change. I didn't realize the effect I had on
changing it, it was a long ${RUN} with \ in the end of all the lines,
and I removed one of them for the bmake-conditional.

I've bmake-ified the file, so it no longer does this. Attached full file
which might be easier to read than the diff.

# $NetBSD: check.mk,v 1.1 2011/10/15 00:23:09 reed Exp $
#

# _pkgformat-check-vulnerable:
#	Checks for known vulnerabilities in the package if a vulnerability
#	file exists.
#

ALLOW_VULNERABLE_PACKAGES?=	yes

.if defined(NO_PKGTOOLS_REQD_CHECK)
_pkgformat-check-vulnerable: .PHONY
	${RUN}${DO_NADA}
.else

_VULNFILE:=	${_EXTRACT_PKGVULNDIR:sh}/pkg-vulnerabilities
_pkgformat-check-vulnerable: .PHONY
.  if exists(${_VULNFILE})
	@${PHASE_MSG} "Checking for vulnerabilities in ${PKGNAME}"
.    if !empty(ALLOW_VULNERABLE_PACKAGES:tl:Mno)
	@${AUDIT_PACKAGES} ${_AUDIT_PACKAGES_CMD} ${AUDIT_PACKAGES_FLAGS} ${PKGNAME} \
	|| ${FAIL_MSG} "Define ALLOW_VULNERABLE_PACKAGES in mk.conf or ${_AUDIT_CONFIG_OPTION} in ${_AUDIT_CONFIG_FILE}(5) if this package is absolutely essential."
.    else
	@${AUDIT_PACKAGES} ${_AUDIT_PACKAGES_CMD} ${AUDIT_PACKAGES_FLAGS} ${PKGNAME} || ${TRUE}
.    endif
.  else
	@${PHASE_MSG} "Skipping vulnerability checks."
	@${WARNING_MSG} "No ${_VULNFILE} file found."
	@${WARNING_MSG} "To fix run: \`${DOWNLOAD_VULN_LIST}'."
.  endif

.endif

Follow-Ups:
- Re: Switch vulnerable packages to a warning only
  - From: maya

References:
- Switch vulnerable packages to a warning only
  - From: coypu
- Re: Switch vulnerable packages to a warning only
  - From: Greg Troxel
- Re: Switch vulnerable packages to a warning only
  - From: coypu
- Re: Switch vulnerable packages to a warning only
  - From: Joerg Sonnenberger
- Re: Switch vulnerable packages to a warning only
  - From: maya
- Re: Switch vulnerable packages to a warning only
  - From: Joerg Sonnenberger

Prev by Date: Re: Providing an easy additional way of avoiding uploading non-redistributable packages
Next by Date: Re: Providing an easy additional way of avoiding uploading non-redistributable packages
Previous by Thread: Re: Switch vulnerable packages to a warning only
Next by Thread: Re: Switch vulnerable packages to a warning only
Indexes:

Home | Main Index | Thread Index | Old Index