On Mon, Nov 21, 2005 at 10:42:37AM -0600, erh@swapsimple.com wrote:
> (appologies for any typos in quoted material, I pieced this together by hand)
> 
> > On 11/20/2005 Krister Walfridsson wrote:
> > I definitely agree that you should not need to change you configuration
> > as a result of changes in the infrastructure.  My annoyance was because
> 
> The whole point of changing from ALLOW_VULNERABLE_PACKAGES is so you NEED
> to change your configuration and you need to explicitly think about
> which vulnerabilities you're going to allow.  In this case I think it
> is entirely appropriate to need to change you configuration due to 
> infrastructure changes.
> ALLOW_VULNERABLE_PACKAGES is replaced with ALLOW_VULNERABILITIES because
> blindly allowing _all_ vulerabilities is a generally a bad thing.

I really detest systems that tell me how I should behave, or what I
should think. For our bulk builds, we need to be able to specify
that we want to build packages which are vulnerable. I couldn't
really care whether you consider that a bad thing in general or
not, it's what we need. Please fix it as a matter of urgency.

> > On 11/20/2005 Allistair Crooks wrote:
> > I already have ALLOW_VULNERABLE_PACKAGES set in my /etc/mk.conf.  That
> > should be a hint that I don't want audit-packages to be run on bulk
> > builds.  Why do I have to set SKIP_AUDIT_PACKAGES as well?
> 
> 	It's not an additional setting.  It was just renamed.
> As far as I can tell, nothing in pkgsrc/mk currently, or previously
> set ALLOW_VULNERABLE_PACKAGES, so builds, bulk or otherwise, perform
> the audit-packages check.  To me, that seems like the proper default
> setting and the default for SKIP_AUDIT_PACKAGES is exactly the same.

Interesting - you modified a basic part of pkgsrc infrastructure and
didn't perform a bulk build - even a limited one with specific
packages?
 
> 	I had figured, that with the number of messages about this
> (both on this list and on tech-pkg, where I originally posted my changes
> for review) people might notice that they would have to rename their
> ALLOW_VULNERABLE_PACKAGES variable to SKIP_AUDIT_PACKAGES.  (and if not
> seen there, it's documented in mk/default/mk.conf and in the pkgsrc guide)

You should have sent out an announcement after you got the go-ahead
from the package's maintainer (me) that you could make the changes.

You should also provide, as a matter of courtesy, clear instructions
on how to move from old ALLOW_VULNERABLE_PACKAGES to whatever the
equivalent new way of doing it is.

FYI, I disagree with the vulnerability id - and I think there are
better ways to accomplish what you wanted to do. 

I would just note that pkgsrc is broken for me now as a bulk builder. 
You should either fix things so that old settings are respected, or
revert your changes until such time as backwards-compatible settings
are respected.

Alistair