tech-pkg: Re: Proposed audit-packages changes

Subject: Re: Proposed audit-packages changes
To: Todd Vierling <tv@duh.org>
From: Johnny C. Lam <jlam@pkgsrc.org>
List: tech-pkg
Date: 11/22/2005 12:17:36
Todd Vierling wrote:
> On Tue, 22 Nov 2005, Johnny C. Lam wrote:
> 
> 
>>This last change is possibly controversial new behavior because it
>>matches neither the old nor the current behavior:
>>
>>* "CHECK_VULNERABILITIES" defaults to "yes" only if the audit-packages
>>  script can be found; otherwise, it defaults to "no".  The purpose
>>  of this change is to not force audit-packages to be installed.
>>
>>The old behavior was that vulnerability checks were performed regardless
>>of whether audit-packages was installed or not.  This was due to the
>>standalone implementation of the auditing code in the old
>>"check-vulnerable" target.  The current behavior is that audit-packages
>>must be installed for pkgsrc to work, which again forces the vulnerability
>>checks to be performed.  The proposed behavior is that we only perform
>>the checks if we can actually do so.  This can be considered a weakening
>>of the security of pkgsrc, so we may not want to do this.
> 
> 
> audit-packages is an unreasonable forced dependency, so whatever behavior
> you choose, the default must not require its presence.  This is not a
> "weakening", because this was already the prior behavior of pkgsrc.

But this isn't true, and I explained why in the paragraph you quoted 
above -- bsd.pkg.mk's check-vulnerable target used to have have it's own 
implementation of the audit-packages script hardcoded into the target. 
That was how pkgsrc ran the vulnerability checks regardless of whether 
audit-packages was installed.  In my proposed change, if 
CHECK_VULNERABILITIES is "yes" (the default), then audit-packages is 
added as a build dependency.

Actually, I didn't do it entirely correctly because dependencies are 
installed after the "fetch" target is run, so it would be possible to 
sidestep the vulnerability check by removing audit-packages from your 
system, then running "make" in a particular package's directory.  I will 
need to amend the check-vulnerable target to only run the audit if the 
audit-packages script is detected, and also insert "check-vulnerable" as 
an additional prerequisite just after dependencies are installed.

	Cheers,

	-- Johnny Lam <jlam@pkgsrc.org>