Subject: Re: ALLOW_VULNERABLE_PACKAGES should be precise
To: Havard Eidnes <he@uninett.no>
From: Dieter Baron <dillo@danbala.tuwien.ac.at>
List: tech-pkg
Date: 08/26/2005 15:12:35
In article <20050826.121408.115924032.he@uninett.no> Havard wrote:
: > Instead of define ALLOW_VULNERABLE_PACKAGES if this package is absolutely
: > essential, we should require that it be set to the package name itself.
: >
: > That way if someone chose to define ALLOW_VULNERABLE_PACKAGES for one
: > particular package they can't bypass the vulnerabilities warning in
: > another package.
: >
: > ALLOW_VULNERABLE_PACKAGES+= gcpio foo bar baz
: >
: > In fact, we could make it even more precise such as include version and
: > PKGREVISION such as:
: >
: > bmake ALLOW_VULNERABLE_PACKAGES=gcpio-2.5nb1 install
: >
: > Thoughts?
: I do agree that even though ALLOW_VULNERABLE_PACKAGES is set, a
: warning should be given during the install of any recursively
: pulled in packages.
I absolutely agree.
: However, I'm not sure I agree that removing this ability to say
: "yes, I really would like this package and it's dependencies to
: be installed, even if they might contain vulnerabilities" should
: be removed, and turned into an iterative "whack a mole" process.
: I think the latter would be a big turnoff for new users.
Neither do I, but if
ALLOW_VULNERABLE_PACKAGES=*
means allow all packages, your concern should be addressed, no?
yours,
dillo