tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Switch vulnerable packages to a warning only

On 2020-05-22 16:42, wrote:
On Fri, May 22, 2020 at 07:35:14AM -0500, Jason Bacon wrote:
On 2020-05-21 11:41, wrote:
On Thu, May 21, 2020 at 12:39:09PM -0400, Greg Troxel wrote: writes:

Attached diff to make ALLOW_VULNERABLE_PACKAGES=no.

It's somewhat unnecessary to have ALLW_VULNERABLE_PACKAGES?=yes (any
value except no, even empty, would do), but this is probably easier to
Thanks for taking my suggestion and this looks good to m.
Great. I'm going to let it sit for a few days so more people have an
opportunity to object, as I am changing the default behaviour.
I think changing this is fine as long as there's always a way to make builds
error out by default, even if that's not default behavior.  In most
environments, I'm fine with allowing vulnerable packages, but there are two
where I want the build to halt:

1. My development trees, so I become aware of all vulnerabilities in
2. HPC clusters where I run services as root from a pkgsrc tree

Thanks for your work on this improvement.

I see. By the way, there's `pkg_admin audit` which is a probably less
annoying way of reporting that any installed packages are vulnerable.
This also helps with vulnerabilities discovered after the installation
of the package.
Thanks, I knew about pkg_admin audit, but when I'm juggling a million things and under time pressure, I don't want to have to deliberately take action to check all the dependencies for each of my packages.  I find it safer to have the system raise a flag that demands my attention during normal builds.



Home | Main Index | Thread Index | Old Index