Re: pkg/59446: not respected: ALLOW_VULNERABLE_PACKAGES=NO

[George Georgalis <george%galis.org@localhost>]

Hi Kimmo,

That's what I thought the gap was at first... so I ran these commands (in the original report) to confirm the problem:

cd $pkgsrc/net/tcpdump/ && bmake clean
===> Cleaning for tcpdump-4.99.5
cd $pkgsrc/net/tcpdump/ && bmake install
===> Building binary package for tcpdump-4.99.5
=> Creating binary package /opt/pkgsrc-stable/pkg-2025Q1-68350-Darwin_22.6.0_arm64/All/tcpdump-4.99.5.tgz
===> Installing binary package of tcpdump-4.99.5
cd $pkgsrc/net/tcpdump/ && bmake show-var VARNAME=ALLOW_VULNERABLE_PACKAGES
NO

that fails your expectation, doesn't it? if not, what exactly does ALLOW_VULNERABLE_PACKAGES mean?

regards,

-George

On Tue, May 27, 2025 at 1:50 AM Kimmo Suominen via gnats <gnats-admin%netbsd.org@localhost> wrote:

The following reply was made to PR pkg/59446; it has been noted by GNATS.

From: Kimmo Suominen <kim%netbsd.org@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc:
Subject: Re: pkg/59446: not respected: ALLOW_VULNERABLE_PACKAGES=NO
Date: Tue, 27 May 2025 11:45:02 +0300

 Hi George,

 On Tue, May 27, 2025 at 08:00:01AM +0000, george%galis.org@localhost wrote:
 > cat >>$LOCALBASE/etc/mk.conf <<eof
 > # Security and vulnerability management
 > ALLOW_VULNERABLE_PACKAGES=  NO
 > eof
 >
 > pkgin in tcpdump

 You cannot configure pkgin settings in /etc/mk.conf as it has its own
 configuration files.  I don't think pkgin has a corresponding setting,
 though.

 If you use "make package-install" instead of "make package" then I would
 expect the setting to be respected.

 Kind regards,
 + Kimmo

--

George Georgalis, (415) 894-2710, http://www.galis.org/