On Mon, Nov 21, 2005 at 05:39:24PM +0000, Alistair Crooks wrote:
> I really detest systems that tell me how I should behave, or what I
> should think. For our bulk builds, we need to be able to specify
> that we want to build packages which are vulnerable. I couldn't

	huh?  You can continue to use the all or nothing method, just with
a different variable name.  I provided a better way to specify which
vulnerabilities to ignore, if all you care about is getting one particular
package installed.  You don't need to use that feature if you don't want to.

> > 	It's not an additional setting.  It was just renamed.
> > As far as I can tell, nothing in pkgsrc/mk currently, or previously
> > set ALLOW_VULNERABLE_PACKAGES, so builds, bulk or otherwise, perform
> > the audit-packages check.  To me, that seems like the proper default
> > setting and the default for SKIP_AUDIT_PACKAGES is exactly the same.
> 
> Interesting - you modified a basic part of pkgsrc infrastructure and
> didn't perform a bulk build - even a limited one with specific
> packages?

	I thought I did, but apparently not the official way.  I had only
performed limited bulk builds, and only by using the bulk-* targets directly,
so I didn't realize that some packages (like pkg_install) get installed/updated
automatically.  Every time I've done it had to install those by hand before
runing "make bulk-package", so I figured the audit-packages pacakge was
in the same category.

	Regardless of how the audit checks are disabled, it sounds like your
change to include audit-packages in BULK_PREREQ should be put back in (if
you backed it out already).  Running bulk builds with the security checks
turned on should probably be supported, and you'd need that in the prereq
list even without my changes.

> You should have sent out an announcement after you got the go-ahead
> from the package's maintainer (me) that you could make the changes.

	Yes, you're right.  Sorry.

> You should also provide, as a matter of courtesy, clear instructions
> on how to move from old ALLOW_VULNERABLE_PACKAGES to whatever the
> equivalent new way of doing it is.

How's this:
The new equivalent of ALLOW_VULNERABLE_PACKAGES is SKIP_AUDIT_PACKAGES.
If you want to ignore all security checks set this:
	SKIP_AUDIT_PACKAGES=yes

However, a better way would be to note the vulnerability id that is show
when you try to build a package, or from the output of audit-packages,
and set this instead:
	ALLOW_VULNERABILITIES.<pkgbase>+=<vulnid>
Where <pkgbase> is the name of the package, without a version number and
<vulnid> is the vulnerability id.
This way you can build packages where you've decided that the vulnerability
in question is something you're willing to deal with, without the risk
of accidentally including a package with a vulnerability that you really
do care about.

> FYI, I disagree with the vulnerability id - and I think there are
> better ways to accomplish what you wanted to do. 

well, I'm listening.  fwiw, two other ways I considered were:
1) using a line number in the vulnerbilities file.
	- seemed too fragile wrt otherwise inconsequential changes to that file.
	- harder to tell which line the vulnid corresponds to
2) using the url from the line in the vulnerabilities file
	- not guaranteed to be unique
	- less convenient to add to mk.conf
	- more quoting issues in audit-packages

> I would just note that pkgsrc is broken for me now as a bulk builder. 
> You should either fix things so that old settings are respected, or
> revert your changes until such time as backwards-compatible settings
> are respected.

Can you tell me what's wrong with setting this:
	SKIP_AUDIT_PACKAGES=yes
Just exactly HOW is that broken?

eric