tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Switch vulnerable packages to a warning only


Over time, more packages, and more essential packages are considered
vulnerable. Unfortunately this makes users suffer unnecessarily for
fetching the package vulnerability database.

I assume most people who ran "pkg_admin fetch-pkg-vulnerabilities" have
immediately had to add ALLOW_VULNERABLE_PACKAGES=yes to mk.conf

So, I am proposing a user-friendliness step of only warning about
vulnerable packages by default.


Index: pkgformat/pkg/
RCS file: /cvsroot/pkgsrc/mk/pkgformat/pkg/,v
retrieving revision 1.1
diff -u -r1.1
--- pkgformat/pkg/	15 Oct 2011 00:23:09 -0000	1.1
+++ pkgformat/pkg/	21 May 2020 15:56:15 -0000
@@ -20,6 +20,5 @@
 		exit 0;						\
 	fi;							\
 	${PHASE_MSG} "Checking for vulnerabilities in ${PKGNAME}"; \
-	|| ${FAIL_MSG} "Define ALLOW_VULNERABLE_PACKAGES in mk.conf or ${_AUDIT_CONFIG_OPTION} in ${_AUDIT_CONFIG_FILE}(5) if this package is absolutely essential."

Home | Main Index | Thread Index | Old Index