Subject: dependencies & security vulnerabilities
To: None <tech-pkg@NetBSD.org>
From: Johnny C. Lam <jlam@NetBSD.org>
List: tech-pkg
Date: 07/30/2005 02:38:49 
I would like to drop the use of bumping dependencies solely for the
sake of security vulnerabilities.  Those are completely artificial
dependency requirements that are imposed via policy, and are not the
actual requirements of the package.  One unfortunate effect of this
policy is to make all vulnerabilities have the same level of severity
-- critical -- from a pkgsrc standpoint, when every vulnerability
report out there talks about different levels of severity for security
vulnerabilities.

Now maybe it's just me, but I think that's not really such a good
thing to foist onto system admins.  As an admin, I like to determine
my own policies.  What I'd like to do is the following sequence of
steps:  I get a report from audit-packages about security vulnerabilities
in a particular package; it tells me the relevant URL to read about
the vulnerability in more detail; I decide based on that reading
whether to update the package or not.  If I'm lazy, I can skip the
URL lookup and just blindly update the vulnerable packages.  We don't
_need_ pkgsrc infrastructure to deal with any of this -- audit-packages
does a good job of pointing out packages for which there are known
vulnerabilities, and everything else is something I need to decide on
a site-by-site basis.  Now, we can surely provide a "good default"
for naive users of pkgsrc, but I don't think that "force everyone to
always use packages without vulnerabilities" is the "good default".
From the perspective of most users, a good default is "allow me to
use the packages I have already installed".  The sledgehammer of
setting IGNORE_RECOMMENDED doesn't encompass the fairly common-sense
process I outlined above.  The problem is as I noted above -- this is
a policy issue, not a technical one, and shoehorning it into the
DEPENDS settings is what causes us grief on this issue.

    ================================================================
    | Proposal -- Nuke any RECOMMENDED used for security issues    |
    |                                                              |
    | I propose we just completely nuke all dependencies that are  |
    | a result of "security vulnerability" issues and focus solely |
    | on ABI issues.  This means getting rid of most of the        |
    | BUILDLINK_RECOMMENDED.* and RECOMMENDED settings in pkgsrc.  |
    ================================================================

Comments?

	Thanks,

	-- Johnny Lam <jlam@NetBSD.org>