pkgsrc-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: pkg/59446: not respected: ALLOW_VULNERABLE_PACKAGES=NO
The following reply was made to PR pkg/59446; it has been noted by GNATS.
From: Kimmo Suominen <kim%netbsd.org@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc:
Subject: Re: pkg/59446: not respected: ALLOW_VULNERABLE_PACKAGES=NO
Date: Tue, 27 May 2025 13:14:38 +0300
Hi George,
On Tue, May 27, 2025 at 09:15:01AM +0000, George Georgalis via gnats wrote:
> That's what I thought the gap was at first... so I ran these commands (in
> the original report) to confirm the problem:
>
> cd $pkgsrc/net/tcpdump/ && bmake clean
> cd $pkgsrc/net/tcpdump/ && bmake install
[...]
> =3D=3D=3D> Installing binary package of tcpdump-4.99.5
[...]
>
> that fails your expectation, doesn't it? if not, what exactly does
> ALLOW_VULNERABLE_PACKAGES mean?
Looking at the documentation of ALLOW_VULNERABLE_PACKAGES, it sounds
like even building the package should have failed:
#ALLOW_VULNERABLE_PACKAGES=
# allow the user to build packages which are known to be vulnerable to
# security exploits
# Possible: yes, no
# Default: yes
Ref: pkgsrc/mk/defaults/mk.conf
It looks like the target that checks for vulnerabilities is gated by
NO_PKGTOOLS_REQD_CHECK and the _VULNFILE file existing. You could check
that these are set to expected values also:
make show-var VARNAME=_VULNFILE
make show-var VARNAME=NO_PKGTOOLS_REQD_CHECK
Ref: pkgsrc/mk/pkgformat/pkg/check.mk
These looked fine on my system, so I then added this debugging:
Index: pkgformat/pkg/check.mk
===================================================================
RCS file: /cvsroot/pkgsrc/mk/pkgformat/pkg/check.mk,v
retrieving revision 1.3
diff -u -p -r1.3 check.mk
--- pkgformat/pkg/check.mk 23 Nov 2022 11:17:51 -0000 1.3
+++ pkgformat/pkg/check.mk 27 May 2025 09:56:40 -0000
@@ -17,6 +17,7 @@ _VULNFILE:= ${_EXTRACT_PKGVULNDIR:sh}/pk
_pkgformat-check-vulnerable: .PHONY
. if exists(${_VULNFILE})
@${PHASE_MSG} "Checking for vulnerabilities in ${PKGNAME}"
+ @${PHASE_MSG} "ALLOW_VULNERABLE_PACKAGES='${ALLOW_VULNERABLE_PACKAGES}'"
. if !empty(ALLOW_VULNERABLE_PACKAGES:tl:Mno)
@${AUDIT_PACKAGES} ${_AUDIT_PACKAGES_CMD} ${AUDIT_PACKAGES_FLAGS} ${PKGNAME} \
|| ${FAIL_MSG} "Define ALLOW_VULNERABLE_PACKAGES in mk.conf or ${_AUDIT_CONFIG_OPTION} in ${_AUDIT_CONFIG_FILE}(5) if this package is absolutely essential."
I found that ALLOW_VULNERABLE_PACKAGES was always empty when make got
this far.
Looking through the code, I saw the the barrier stuff is explicitly
unsetting ALLOW_VULNERABLE_PACKAGES. The following patch removes that,
and this change restores the expected behaviour.
Index: bsd.pkg.barrier.mk
===================================================================
RCS file: /cvsroot/pkgsrc/mk/bsd.pkg.barrier.mk,v
retrieving revision 1.23
diff -u -p -r1.23 bsd.pkg.barrier.mk
--- bsd.pkg.barrier.mk 28 Jan 2025 16:01:59 -0000 1.23
+++ bsd.pkg.barrier.mk 27 May 2025 09:56:39 -0000
@@ -71,7 +71,7 @@ barrier: ${_BARRIER_PRE_TARGETS} ${_COOK
${PHASE_MSG} "Skipping installation of already handled package"; \
else \
cd ${.CURDIR} \
- && ${RECURSIVE_MAKE} ${MAKEFLAGS} _PKGSRC_BARRIER=yes ALLOW_VULNERABLE_PACKAGES= ${_BARRIER_CMDLINE_TARGETS} \
+ && ${RECURSIVE_MAKE} ${MAKEFLAGS} _PKGSRC_BARRIER=yes ${_BARRIER_CMDLINE_TARGETS} \
|| { \
exitcode="$$?"; \
${RECURSIVE_MAKE} ${MAKEFLAGS} _PKGSRC_BARRIER=yes barrier-error-check; \
However, since I have absolutely no idea why the code would be
unsetting ALLOW_VULNERABLE_PACKAGES to begin with, I have not committed
this change. That unsetting has been there since the inception of
bsd.pkg.barrier.mk in July 2006 (almost 19 years ago).
Ref: https://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/mk/bsd.pkg.barrier.mk?rev=1.1;content-type=text%2Fx-cvsweb-markup
Maybe you could bring this up on tech-pkg@ for discussion?
Kind regards,
+ Kimmo
Home |
Main Index |
Thread Index |
Old Index