Re: not respected: ALLOW_VULNERABLE_PACKAGES=NO

[Jörg Sonnenberger <joerg%bec.de@localhost>]

On 5/31/25 11:09 PM, George Georgalis wrote:
> On Tue, May 27, 2025 at 3:30 AM Jonathan Perkin via gnats <gnats- 
> admin%netbsd.org@localhost <mailto:gnats-admin%netbsd.org@localhost>> wrote:
>  >
>  > The following reply was made to PR pkg/59446; it has been noted by GNATS.
>  > ...
>  >  * On 2025-05-27 at 09:50 BST, Kimmo Suominen via gnats wrote:
>  >
>  >  > You cannot configure pkgin settings in /etc/mk.conf as it has its own
>  >  > configuration files.  I don't think pkgin has a corresponding setting,
>  >  > though.
>  >
>  >  It doesn't, and I have no plans to add one to it, not unless either
>  >  pkg-vulnerabilities is overhauled to provide a scoring system, or the
>  >  vulnerabilities it lists are taken seriously.
>
>
> In the context of enabling pkgsrc's formal approval as enterprise-grade 
> package building software, I consider per-package CVE tracking via pkg- 
> vulnerabilities essential. This functionality is critical for security 
> accounting and oversight at any site using pkgsrc.

The heart of the issue is that the CVE database has become pretty much 
useless as metric of security issues for anyone that doesn't sell audit 
programs. It is dominated by the semi-automated fuzzing results where 
the "reporter" doesn't even spend time to properly analyze the result. 
Just as an example, a CVE claiming a buffer overflow in an Endian 
conversion function shows a completely lack of understanding of code 
structure. Scoring of CVEs is also next-to-useless, some of the worst 
security incidents in recent years had only medium score levels.

I'm not saying that pkg-vulnerabilities is useless, but 
PKG_ALLOW_VULNERABLE_PACKAGES=no is.

Joerg