CVS commit: pkgsrc/mk

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/mk
From: "Maya Rashish" <maya%netbsd.org@localhost>
Date: Thu, 28 May 2020 16:22:58 +0000

Module Name:    pkgsrc
Committed By:   maya
Date:           Thu May 28 16:22:58 UTC 2020

Modified Files:
        pkgsrc/mk/check: check-vulnerable.mk
        pkgsrc/mk/defaults: mk.conf
        pkgsrc/mk/pkgformat/pkg: check.mk

Log Message:
Flip the switch on ALLOW_VULNERABLE_PACKAGES to allow them by default.

Right now, users who install the pkg-vulnerabilities database find that
the vast majority of packages fail to build, penalizing them too severely.
Package auditing can still be done via "pkg_admin audit".

Alternatively, the previous behaviour can be restored with
ALLOW_VULNERABLE_PACKAGES=no in mk.conf.

Additionally, bmake-ify the check.mk logic. It was easier to do this,
as the package relied on a single long ${RUN} command.

Proposed on tech-pkg, with no objections to the idea of changing the
default, just the method of doing so.


To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.6 pkgsrc/mk/check/check-vulnerable.mk
cvs rdiff -u -r1.310 -r1.311 pkgsrc/mk/defaults/mk.conf
cvs rdiff -u -r1.1 -r1.2 pkgsrc/mk/pkgformat/pkg/check.mk

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/mk/check/check-vulnerable.mk
diff -u pkgsrc/mk/check/check-vulnerable.mk:1.5 pkgsrc/mk/check/check-vulnerable.mk:1.6
--- pkgsrc/mk/check/check-vulnerable.mk:1.5     Sat Oct 15 00:23:08 2011
+++ pkgsrc/mk/check/check-vulnerable.mk Thu May 28 16:22:58 2020
@@ -1,4 +1,4 @@
-# $NetBSD: check-vulnerable.mk,v 1.5 2011/10/15 00:23:08 reed Exp $
+# $NetBSD: check-vulnerable.mk,v 1.6 2020/05/28 16:22:58 maya Exp $
 #
 # Public targets:
 #
@@ -6,13 +6,8 @@
 #      Checks for vulnerabilities in the package.
 #
 
-.if defined(ALLOW_VULNERABLE_PACKAGES)
-check-vulnerable: .PHONY
-       @${DO_NADA}
-.  else
 check-vulnerable: .PHONY _pkgformat-check-vulnerable
        @${DO_NADA}
-.endif
 
 # A package format does not need to implement this target, so provide a
 # default implementation.

Index: pkgsrc/mk/defaults/mk.conf
diff -u pkgsrc/mk/defaults/mk.conf:1.310 pkgsrc/mk/defaults/mk.conf:1.311
--- pkgsrc/mk/defaults/mk.conf:1.310    Fri May 15 10:22:42 2020
+++ pkgsrc/mk/defaults/mk.conf  Thu May 28 16:22:58 2020
@@ -1,4 +1,4 @@
-# $NetBSD: mk.conf,v 1.310 2020/05/15 10:22:42 nia Exp $
+# $NetBSD: mk.conf,v 1.311 2020/05/28 16:22:58 maya Exp $
 #
 
 # This file provides default values for variables that may be overridden
@@ -31,8 +31,8 @@ USE_PKG_ADMIN_DIGEST?=        no
 #ALLOW_VULNERABLE_PACKAGES=
 # allow the user to build packages which are known to be vulnerable to
 # security exploits
-# Possible: defined, not defined
-# Default: not defined
+# Possible: yes, no
+# Default: yes
 
 #AUDIT_PACKAGES_FLAGS=
 # List of flags passed to ``pkg_admin audit-pkg''.

Index: pkgsrc/mk/pkgformat/pkg/check.mk
diff -u pkgsrc/mk/pkgformat/pkg/check.mk:1.1 pkgsrc/mk/pkgformat/pkg/check.mk:1.2
--- pkgsrc/mk/pkgformat/pkg/check.mk:1.1        Sat Oct 15 00:23:09 2011
+++ pkgsrc/mk/pkgformat/pkg/check.mk    Thu May 28 16:22:58 2020
@@ -1,25 +1,32 @@
-# $NetBSD: check.mk,v 1.1 2011/10/15 00:23:09 reed Exp $
+# $NetBSD: check.mk,v 1.2 2020/05/28 16:22:58 maya Exp $
 #
 
 # _pkgformat-check-vulnerable:
 #      Checks for known vulnerabilities in the package if a vulnerability
 #      file exists.
 #
+
+ALLOW_VULNERABLE_PACKAGES?=    yes
+
 .if defined(NO_PKGTOOLS_REQD_CHECK)
 _pkgformat-check-vulnerable: .PHONY
        ${RUN}${DO_NADA}
 .else
+
+_VULNFILE:=    ${_EXTRACT_PKGVULNDIR:sh}/pkg-vulnerabilities
 _pkgformat-check-vulnerable: .PHONY
-       ${RUN}\
-       _PKGVULNDIR=`${_EXTRACT_PKGVULNDIR}`; \
-       vulnfile=$$_PKGVULNDIR/pkg-vulnerabilities;             \
-       if ${TEST} ! -f "$$vulnfile"; then                      \
-               ${PHASE_MSG} "Skipping vulnerability checks.";  \
-               ${WARNING_MSG} "No $$vulnfile file found.";     \
-               ${WARNING_MSG} "To fix run: \`${DOWNLOAD_VULN_LIST}'."; \
-               exit 0;                                         \
-       fi;                                                     \
-       ${PHASE_MSG} "Checking for vulnerabilities in ${PKGNAME}"; \
-       ${AUDIT_PACKAGES} ${_AUDIT_PACKAGES_CMD} ${AUDIT_PACKAGES_FLAGS} ${PKGNAME} \
+.  if exists(${_VULNFILE})
+       @${PHASE_MSG} "Checking for vulnerabilities in ${PKGNAME}"
+.    if !empty(ALLOW_VULNERABLE_PACKAGES:tl:Mno)
+       @${AUDIT_PACKAGES} ${_AUDIT_PACKAGES_CMD} ${AUDIT_PACKAGES_FLAGS} ${PKGNAME} \
        || ${FAIL_MSG} "Define ALLOW_VULNERABLE_PACKAGES in mk.conf or ${_AUDIT_CONFIG_OPTION} in ${_AUDIT_CONFIG_FILE}(5) if this package is absolutely essential."
+.    else
+       @${AUDIT_PACKAGES} ${_AUDIT_PACKAGES_CMD} ${AUDIT_PACKAGES_FLAGS} ${PKGNAME} || ${TRUE}
+.    endif
+.  else
+       @${PHASE_MSG} "Skipping vulnerability checks."
+       @${WARNING_MSG} "No ${_VULNFILE} file found."
+       @${WARNING_MSG} "To fix run: \`${DOWNLOAD_VULN_LIST}'."
+.  endif
+
 .endif

Prev by Date: Re: CVS commit: pkgsrc/converters/help2man
Next by Date: CVS commit: pkgsrc/audio
Previous by Thread: CVS commit: pkgsrc/devel/libkgapi
Next by Thread: CVS commit: pkgsrc/audio
Indexes:

Home | Main Index | Thread Index | Old Index