tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Switch vulnerable packages to a warning only

On Thu, May 21, 2020 at 06:46:38PM +0200, Joerg Sonnenberger wrote:
> On Thu, May 21, 2020 at 04:34:19PM +0000, wrote:
> > It's somewhat unnecessary to have ALLW_VULNERABLE_PACKAGES?=yes (any
> > value except no, even empty, would do), but this is probably easier to
> > understand.
> It makes a difference whether auditing is done at all or if the result
> is ignored. Namely on whether the non-existance of the vulnerability
> file is an error. So if anything, it should be a trinary option (yes,
> no, warn).

I can't imagine a scenario (short of severely malfunctioning tools)
where someone would care about the difference between "no" and "warn".

Can you elaborate?

Also: my main reason for waiting with the change is the change of the
default (to non-fatal), I see this as a discussion of the implementation
details rather than an objection.

Home | Main Index | Thread Index | Old Index