tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Switch vulnerable packages to a warning only

On 2020-05-21 11:41, wrote:
On Thu, May 21, 2020 at 12:39:09PM -0400, Greg Troxel wrote: writes:

Attached diff to make ALLOW_VULNERABLE_PACKAGES=no.

It's somewhat unnecessary to have ALLW_VULNERABLE_PACKAGES?=yes (any
value except no, even empty, would do), but this is probably easier to
Thanks for taking my suggestion and this looks good to m.
Great. I'm going to let it sit for a few days so more people have an
opportunity to object, as I am changing the default behaviour.
I think changing this is fine as long as there's always a way to make builds error out by default, even if that's not default behavior.  In most environments, I'm fine with allowing vulnerable packages, but there are two where I want the build to halt:

1. My development trees, so I become aware of all vulnerabilities in dependencies
2. HPC clusters where I run services as root from a pkgsrc tree

Thanks for your work on this improvement.


Home | Main Index | Thread Index | Old Index