Re: Switch vulnerable packages to a warning only

To: tech-pkg%netbsd.org@localhost
Subject: Re: Switch vulnerable packages to a warning only
From: David Holland <dholland-pkgtech%netbsd.org@localhost>
Date: Sat, 23 May 2020 04:34:04 +0000

On Thu, May 21, 2020 at 05:52:58PM +0100, Jonathan Perkin wrote:
 > And even if they get bootstrapped, they aren't going to get very far:
 > 
 >   Package icu-66.1 has a integer-overflow vulnerability
 >   Package libxml2-2.9.10nb1 has a buffer-overflow vulnerability
 >   Package perl-5.30.2 has a symlink-attack vulnerability
 >   Package python27-2.7.18 has a denial-of-service vulnerability
 >   Package python37-3.7.7 has a crlf-attack vulnerability
 >   Package python37-3.7.7 has a denial-of-service vulnerability
 >   ...
 > 
 > It's a nice idea, but with the current state of affairs it's
 > completely unrealistic as an option, and certainly as a default one.

Yeah, this.

I think it would be great if we managed to get back to a state where
these warnings only cropped up occasionally, but that's a heck of a
lot of work (both for us and a lot of upstreams) and the deluge of
minor bugs that are branded "vulnerabilities" is not likely to slack
off anytime soon.

-- 
David A. Holland
dholland%netbsd.org@localhost

References:
- Switch vulnerable packages to a warning only
  - From: coypu
- Re: Switch vulnerable packages to a warning only
  - From: Greg Troxel
- Re: Switch vulnerable packages to a warning only
  - From: Jonathan Perkin

Prev by Date: Re: Providing an easy additional way of avoiding uploading non-redistributable packages
Next by Date: [PATCH] fix devl/gdb portability fail with == operator
Previous by Thread: Re: Switch vulnerable packages to a warning only
Next by Thread: [PATCH] fix devl/gdb portability fail with == operator
Indexes:

Home | Main Index | Thread Index | Old Index