Re: Switch vulnerable packages to a warning only

[Jason Bacon <outpaddling%yahoo.com@localhost>]

On 2020-05-22 16:42, coypu%sdf.org@localhost wrote:
> On Fri, May 22, 2020 at 07:35:14AM -0500, Jason Bacon wrote:
> > On 2020-05-21 11:41, coypu%sdf.org@localhost wrote:
> > > On Thu, May 21, 2020 at 12:39:09PM -0400, Greg Troxel wrote:
> > > > coypu%sdf.org@localhost writes:
> > > >
> > > > > Attached diff to make ALLOW_VULNERABLE_PACKAGES=no.
> > > > >
> > > > > It's somewhat unnecessary to have ALLW_VULNERABLE_PACKAGES?=yes (any
> > > > > value except no, even empty, would do), but this is probably easier to
> > > > > understand.
> > > > Thanks for taking my suggestion and this looks good to m.
> > > Great. I'm going to let it sit for a few days so more people have an
> > > opportunity to object, as I am changing the default behaviour.
> > I think changing this is fine as long as there's always a way to make builds
> > error out by default, even if that's not default behavior.  In most
> > environments, I'm fine with allowing vulnerable packages, but there are two
> > where I want the build to halt:
> >
> > 1. My development trees, so I become aware of all vulnerabilities in
> > dependencies
> > 2. HPC clusters where I run services as root from a pkgsrc tree
> >
> > Thanks for your work on this improvement.
>
> I see. By the way, there's `pkg_admin audit` which is a probably less
> annoying way of reporting that any installed packages are vulnerable.
> This also helps with vulnerabilities discovered after the installation
> of the package.
Thanks, I knew about pkg_admin audit, but when I'm juggling a million 
things and under time pressure, I don't want to have to deliberately 
take action to check all the dependencies for each of my packages.  I 
find it safer to have the system raise a flag that demands my attention 
during normal builds.

Cheers,

    JB