Re: Switch vulnerable packages to a warning only

[Joerg Sonnenberger <joerg%bec.de@localhost>]

On Fri, May 22, 2020 at 10:46:00PM +0000, maya%NetBSD.org@localhost wrote:
> On Thu, May 21, 2020 at 06:46:38PM +0200, Joerg Sonnenberger wrote:
> > On Thu, May 21, 2020 at 04:34:19PM +0000, coypu%sdf.org@localhost wrote:
> > > It's somewhat unnecessary to have ALLW_VULNERABLE_PACKAGES?=yes (any
> > > value except no, even empty, would do), but this is probably easier to
> > > understand.
> > 
> > It makes a difference whether auditing is done at all or if the result
> > is ignored. Namely on whether the non-existance of the vulnerability
> > file is an error. So if anything, it should be a trinary option (yes,
> > no, warn).
> 
> I can't imagine a scenario (short of severely malfunctioning tools)
> where someone would care about the difference between "no" and "warn".

If set to no, it shouldn't complain about missing vulnerability file.
That's just not helpful at all. If set to warn, it certainly should
complain (or maybe even fail). If set to yes, it most definitely should
fail.

> Also: my main reason for waiting with the change is the change of the
> default (to non-fatal), I see this as a discussion of the implementation
> details rather than an objection.

I don't care too much of the default value here.

Joerg