help with IGNORE_URL

To: pkgsrc-users%netbsd.org@localhost
Subject: help with IGNORE_URL
From: "Steven M. Bellovin" <smb%cs.columbia.edu@localhost>
Date: Fri, 17 Jul 2009 23:25:25 -0400

I'm trying to use IGNORE_URL to let me build pidgin.  (The advisory
applies to icq; I don't use icq, so I'll take my chances.)

I've created an entry

        IGNORE_URL=http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1889

in /etc/pkg_install.conf; when I check it via

        # pkg_admin config-var IGNORE_URL
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1889
        some-other-advisory

I get what seems to be the right answer.  Nevertheless, when I try to
build it the system complains about the vulnerability:

# make
=> Bootstrap dependency digest>=20010302: found digest-20080510
===> Checking for vulnerabilities in pidgin-2.5.7
Package pidgin-2.5.7 has a denial-of-service vulnerability, see 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1889
ERROR: Define ALLOW_VULNERABLE_PACKAGES in mk.conf or IGNORE_URL in 
pkg_install.conf(5) if this package is absolutely essential.
*** Error code 1

What am I doing wrong?  (This is i386-current from yesterday,
pkg_install 20090610, pkgsrc HEAD.)


                --Steve Bellovin, http://www.cs.columbia.edu/~smb

Follow-Ups:
- Re: help with IGNORE_URL
  - From: Joerg Sonnenberger

Prev by Date: Re: ${PYPKGPREFIX}- for package names (and wip/py-buildbot)
Next by Date: Re: is http://pkgsrccon.org/ dead?
Previous by Thread: subversion-base build problems
Next by Thread: Re: help with IGNORE_URL
Indexes:

Home | Main Index | Thread Index | Old Index