[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Improving security for pkgsrc
-----BEGIN PGP SIGNED MESSAGE-----
On 07/28/15 19:44, David Holland wrote:
> On Sun, Jul 26, 2015 at 01:07:22AM +0200, Pierre Pronchery wrote:
>>> Generally, we declare each variable to be user-settable in
>>> mk.conf or pkg-settable in Makefile, and never both. See the
>>> FETCH_USING flamage...
>> Good point; I do think here it really makes sense to support
>> both though, just like in NetBSD's base system.
> NetBSD's base system does not support "both" in the sense of a
> variable that's both user-settable and build-system-settable.
> That's why base has both MKFOO and USE_FOO settings.
So MK... is for the build system, and USE_... is for the user?
This was never clear to me. Just look at mk.conf(5), it seems to be
aimed at the user, and the variables there are MKATF, MKBINUTILS,
MKBSDTAR etc, which "can be set ... or ...". This clearly looks like
What is the difference then?
>> And even then, packages could set "PKGSRC_USE_SSP?=yes" and then
>> the global setting would take precedence always if set
> Then you can't limit configuring it to yes to packages where it's
> been tested and found to work.
Why not? That's what NetBSD's base system does. Programs and libraries
build without SSP by default, and those which were considered
sensitive (exposed to remote users or data) build with SSP by default.
How is that different?
>> b) My personal take on this is: - - it finds bugs (which is a
>> good thing) - - breaking is fail-safe (likewise)
> ...it will likely break too many things to be anything other than
> an explicit setting for the near to middle future.
"likely break" "too many things" "near to middle future"...
...can't we just go ahead and break them *now*? This flag *finds*
bugs, the most vicious kind, which will randomly corrupt memory and
possibly bite you at any seemingly unrelated point in the future.
Why can't we just do it?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----
Main Index |
Thread Index |