tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: not respected: ALLOW_VULNERABLE_PACKAGES=NO





On 5/31/25 11:09 PM, George Georgalis wrote:
On Tue, May 27, 2025 at 3:30 AM Jonathan Perkin via gnats <gnats- admin%netbsd.org@localhost <mailto:gnats-admin%netbsd.org@localhost>> wrote:
 >
 > The following reply was made to PR pkg/59446; it has been noted by GNATS.
 > ...
 >  * On 2025-05-27 at 09:50 BST, Kimmo Suominen via gnats wrote:
 >
 >  > You cannot configure pkgin settings in /etc/mk.conf as it has its own
 >  > configuration files.  I don't think pkgin has a corresponding setting,
 >  > though.
 >
 >  It doesn't, and I have no plans to add one to it, not unless either
 >  pkg-vulnerabilities is overhauled to provide a scoring system, or the
 >  vulnerabilities it lists are taken seriously.


In the context of enabling pkgsrc's formal approval as enterprise-grade package building software, I consider per-package CVE tracking via pkg- vulnerabilities essential. This functionality is critical for security accounting and oversight at any site using pkgsrc.

The heart of the issue is that the CVE database has become pretty much useless as metric of security issues for anyone that doesn't sell audit programs. It is dominated by the semi-automated fuzzing results where the "reporter" doesn't even spend time to properly analyze the result. Just as an example, a CVE claiming a buffer overflow in an Endian conversion function shows a completely lack of understanding of code structure. Scoring of CVEs is also next-to-useless, some of the worst security incidents in recent years had only medium score levels.

I'm not saying that pkg-vulnerabilities is useless, but PKG_ALLOW_VULNERABLE_PACKAGES=no is.

Joerg


Home | Main Index | Thread Index | Old Index