tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Switch vulnerable packages to a warning only

On Fri, May 22, 2020 at 10:46:00PM +0000, wrote:
> On Thu, May 21, 2020 at 06:46:38PM +0200, Joerg Sonnenberger wrote:
> > On Thu, May 21, 2020 at 04:34:19PM +0000, wrote:
> > > It's somewhat unnecessary to have ALLW_VULNERABLE_PACKAGES?=yes (any
> > > value except no, even empty, would do), but this is probably easier to
> > > understand.
> > 
> > It makes a difference whether auditing is done at all or if the result
> > is ignored. Namely on whether the non-existance of the vulnerability
> > file is an error. So if anything, it should be a trinary option (yes,
> > no, warn).
> I can't imagine a scenario (short of severely malfunctioning tools)
> where someone would care about the difference between "no" and "warn".

If set to no, it shouldn't complain about missing vulnerability file.
That's just not helpful at all. If set to warn, it certainly should
complain (or maybe even fail). If set to yes, it most definitely should

> Also: my main reason for waiting with the change is the change of the
> default (to non-fatal), I see this as a discussion of the implementation
> details rather than an objection.

I don't care too much of the default value here.


Home | Main Index | Thread Index | Old Index