Re: pkg/59446: not respected: ALLOW_VULNERABLE_PACKAGES=NO

["Jonathan Perkin via gnats" <gnats-admin%NetBSD.org@localhost>]

The following reply was made to PR pkg/59446; it has been noted by GNATS.

From: Jonathan Perkin <jperkin%pkgsrc.org@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: pkg/59446: not respected: ALLOW_VULNERABLE_PACKAGES=NO
Date: Tue, 27 May 2025 11:26:15 +0100

 * On 2025-05-27 at 09:50 BST, Kimmo Suominen via gnats wrote:
 
 > You cannot configure pkgin settings in /etc/mk.conf as it has its own
 > configuration files.  I don't think pkgin has a corresponding setting,
 > though.
 
 It doesn't, and I have no plans to add one to it, not unless either 
 pkg-vulnerabilities is overhauled to provide a scoring system, or the 
 vulnerabilities it lists are taken seriously.
 
 As it stands, and has done for at least the last 10 years if not longer, 
 this setting is pretty much useless in actual usage, and you will not be 
 able to install any useful set of packages with it enabled.
 
 (Anecdotally, I try to keep my installed packages to a minimum on my 
 work desktop, I'm running pkgsrc trunk from yesterday, and removing 
 vulnerable packages would almost completely wipe out all of the useful 
 packages I install, absolutely basic things like mutt, curl, perl, 
 python, neovim, etc - and that only takes into account runtime 
 dependencies.  Build time would be even worse).
 
 -- 
 Jonathan Perkin                    pkgsrc.smartos.org
 Open Source Complete Cloud   www.tritondatacenter.com