On Tue, 22 Nov 2005, Johnny C. Lam wrote:

> > audit-packages is an unreasonable forced dependency, so whatever behavior
> > you choose, the default must not require its presence.  This is not a
> > "weakening", because this was already the prior behavior of pkgsrc.
>
> But this isn't true, and I explained why in the paragraph you quoted above --
> bsd.pkg.mk's check-vulnerable target used to have have it's own implementation
> of the audit-packages script hardcoded into the target. That was how pkgsrc
> ran the vulnerability checks regardless of whether audit-packages was
> installed.  In my proposed change, if CHECK_VULNERABILITIES is "yes" (the
> default), then audit-packages is added as a build dependency.

Actually, with neither audit-packages nor a vulnerabilities file on disk,
pkgsrc worked *just fine* (albeit with warnings).  Going back to this
behavior by default is as much of a "weakening" of pkgsrc security as a
reversion of recent irresponsible tax cuts is a tax "hike".

The default should require neither of audit-packages nor
pkg-vulnerabilities.  Have it yell and scream all you want like it did
previously, but building must not fail by default if these are not present.

-- 
-- Todd Vierling <tv@duh.org> <tv@pobox.com> <todd@vierling.name>