pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/mk Per request, back out all the SKIP_AUDIT_PACKAGES c...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/3e1486558226
branches:  trunk
changeset: 503574:3e1486558226
user:      erh <erh%pkgsrc.org@localhost>
date:      Wed Nov 23 18:27:13 2005 +0000

description:
Per request, back out all the SKIP_AUDIT_PACKAGES changes.
bsd.pkg.mk:1.1758-1.1752
bsd.prefs.mk:1.210
bulk/build:1.79
defaults/mk.conf:1.93-1.92

diffstat:

 mk/bsd.pkg.mk       |  52 +++++++++++++++++++---------------------------------
 mk/bsd.prefs.mk     |   4 +---
 mk/bulk/build       |   4 ++--
 mk/defaults/mk.conf |  18 +++++-------------
 4 files changed, 27 insertions(+), 51 deletions(-)

diffs (163 lines):

diff -r 2f4d5ffdd83e -r 3e1486558226 mk/bsd.pkg.mk
--- a/mk/bsd.pkg.mk     Wed Nov 23 14:59:44 2005 +0000
+++ b/mk/bsd.pkg.mk     Wed Nov 23 18:27:13 2005 +0000
@@ -1,4 +1,4 @@
-#      $NetBSD: bsd.pkg.mk,v 1.1767 2005/11/22 03:41:20 jlam Exp $
+#      $NetBSD: bsd.pkg.mk,v 1.1768 2005/11/23 18:27:13 erh Exp $
 #
 # This file is in the public domain.
 #
@@ -1315,48 +1315,36 @@
        esac
 
 # check for any vulnerabilities in the package
-
-_AUDIT_PACKAGES_MIN_VERSION=1.40
-_AUDIT_PACKAGES_OK!=   ${PKG_INFO} -qe 'audit-packages>=${_AUDIT_PACKAGES_MIN_VERSION}' ; echo $$?
-
-# Note: _any_ output from check-vulnerable is considered an error by do-fetch.
+# Please do not modify the leading "@" here
 .PHONY: check-vulnerable
 check-vulnerable:
-.if empty(_AUDIT_PACKAGES_OK:M0)
-       @${ECHO_MSG} "${_PKGSRC_IN}> *** The audit-packages package must be at least version ${_AUDIT_PACKAGES_MIN_VERSION}"
-       @${ECHO_MSG} "${_PKGSRC_IN}> *** Please install the security/audit-packages package and run";
-       @${ECHO_MSG} "${_PKGSRC_IN}> *** '${LOCALBASE}/sbin/download-vulnerability-list'.";
-       @false
-.else
-       @${AUDIT_PACKAGES} -i ""${ALLOW_VULNERABILITIES.${PKGBASE}:Q} -p ${PKGNAME:Q}
-.endif
-
-
-.if defined(ALLOW_VULNERABILITIES.${PKGBASE})
-_ALLOW_VULNERABILITIES=${ALLOW_VULNERABILITIES.${PKGBASE}}
-.else
-_ALLOW_VULNERABILITIES=#none
-.endif
+       @if [ ! -z "${PKG_SYSCONFDIR.audit-packages}" -a -f ${PKG_SYSCONFDIR.audit-packages}/audit-packages.conf ]; then \
+               . ${PKG_SYSCONFDIR.audit-packages}/audit-packages.conf; \
+       elif [ ! -z "${PKG_SYSCONFDIR}" -a -f ${PKG_SYSCONFDIR}/audit-packages.conf ]; then \
+               . ${PKG_SYSCONFDIR}/audit-packages.conf;                \
+       fi;                                                             \
+       if [ -f ${PKGVULNDIR}/pkg-vulnerabilities ]; then               \
+               ${SETENV} PKGNAME=${PKGNAME:Q}                          \
+                         PKGBASE=${PKGBASE:Q}                          \
+                       ${AWK} '/^$$/ { next }                          \
+                               /^#.*/ { next }                         \
+                               $$1 !~ ENVIRON["PKGBASE"] && $$1 !~ /\{/ { next } \
+                               { s = sprintf("${PKG_ADMIN} pmatch \"%s\" %s && ${ECHO} \"*** WARNING - %s vulnerability in %s - see %s for more information ***\"", $$1, ENVIRON["PKGNAME"], $$2, 
ENVIRON["PKGNAME"], $$3); system(s); }' < ${PKGVULNDIR}/pkg-vulnerabilities || ${FALSE}; \
+       fi
 
 .PHONY: do-fetch
 .if !target(do-fetch)
 do-fetch:
-.  if empty(SKIP_AUDIT_PACKAGES:M[Yy][Ee][Ss]) && empty(_ALLOW_VULNERABILITIES:M[Yy][Ee][Ss])
+.  if !defined(ALLOW_VULNERABLE_PACKAGES)
        ${_PKG_SILENT}${_PKG_DEBUG}                                     \
        if [ -f ${PKGVULNDIR}/pkg-vulnerabilities ]; then               \
                ${ECHO_MSG} "${_PKGSRC_IN}> Checking for vulnerabilities in ${PKGNAME}"; \
-               vul=`${MAKE} ${MAKEFLAGS} check-vulnerable || ${TRUE}`;         \
+               vul=`${MAKE} ${MAKEFLAGS} check-vulnerable`;            \
                case "$$vul" in                                         \
                "")     ;;                                              \
-               *vulnid:*)      vulnids=`echo "$$vul" | ${GREP} vulnid: | ${SED} -e's/.*vulnid:\\([[:digit:]]*\\).*/\\1/'`; \
-                       ${ECHO} "$$vul";                                \
-                       ${ECHO} "or if this package is absolutely essential, add this to mk.conf:"; \
-                       for vulnid in $$vulnids ; do \
-                               ${ECHO} " ALLOW_VULNERABILITIES.${PKGBASE}+=$$vulnid"; \
-                       done ; \
+               *)      ${ECHO} "$$vul";                                \
+                       ${ECHO} "or define ALLOW_VULNERABLE_PACKAGES if this package is absolutely essential"; \
                        ${FALSE} ;;                                     \
-               *) ${ECHO} "$$vul";                             \
-                       ${FALSE} ;;                 \
                esac;                                                   \
        else                                                            \
                ${ECHO_MSG} "${_PKGSRC_IN}> *** No ${PKGVULNDIR}/pkg-vulnerabilities file found,"; \
@@ -1364,8 +1352,6 @@
                ${ECHO_MSG} "${_PKGSRC_IN}> *** the pkgsrc/security/audit-packages package and run"; \
                ${ECHO_MSG} "${_PKGSRC_IN}> *** '${LOCALBASE}/sbin/download-vulnerability-list'."; \
        fi
-.  else
-       @${ECHO_MSG} "${_PKGSRC_IN}> *** Skipping vulnerability checks for ${PKGNAME}"
 .  endif
 .  if !empty(_ALLFILES)
        ${_PKG_SILENT}${_PKG_DEBUG}                                     \
diff -r 2f4d5ffdd83e -r 3e1486558226 mk/bsd.prefs.mk
--- a/mk/bsd.prefs.mk   Wed Nov 23 14:59:44 2005 +0000
+++ b/mk/bsd.prefs.mk   Wed Nov 23 18:27:13 2005 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: bsd.prefs.mk,v 1.210 2005/11/16 20:59:23 erh Exp $
+# $NetBSD: bsd.prefs.mk,v 1.211 2005/11/23 18:27:13 erh Exp $
 #
 # Make file, included to get the site preferences, if any.  Should
 # only be included by package Makefiles before any .if defined()
@@ -497,7 +497,6 @@
 PKG_INFO_CMD?=         ${PKG_TOOLS_BIN}/pkg_info
 PKG_VIEW_CMD?=         ${PKG_TOOLS_BIN}/pkg_view
 LINKFARM_CMD?=         ${PKG_TOOLS_BIN}/linkfarm
-AUDIT_PACKAGES_CMD?=   ${LOCALBASE}/sbin/audit-packages
 
 .if !defined(PKGTOOLS_VERSION)
 PKGTOOLS_VERSION!=     ${PKG_INFO_CMD} -V 2>/dev/null || echo 20010302
@@ -528,7 +527,6 @@
 PKG_INFO?=             ${PKGTOOLS_ENV} ${PKG_INFO_CMD} ${PKGTOOLS_ARGS}
 PKG_VIEW?=             ${PKGTOOLS_ENV} ${PKG_VIEW_CMD} ${PKG_VIEW_ARGS}
 LINKFARM?=             ${LINKFARM_CMD}
-AUDIT_PACKAGES?=       ${PKGTOOLS_ENV} ${AUDIT_PACKAGES_CMD} ${PKGTOOLS_ARGS}
 
 # "${PKG_BEST_EXISTS} pkgpattern" prints out the name of the installed
 # package that best matches pkgpattern.  Use this instead of
diff -r 2f4d5ffdd83e -r 3e1486558226 mk/bulk/build
--- a/mk/bulk/build     Wed Nov 23 14:59:44 2005 +0000
+++ b/mk/bulk/build     Wed Nov 23 18:27:13 2005 +0000
@@ -1,5 +1,5 @@
 #!/bin/sh
-# $NetBSD: build,v 1.82 2005/11/20 11:18:45 rillig Exp $
+# $NetBSD: build,v 1.83 2005/11/23 18:27:13 erh Exp $
 
 #
 # Copyright (c) 1999, 2000 Hubert Feyrer <hubertf%NetBSD.org@localhost>
@@ -216,7 +216,7 @@
 # Check that the package tools are up to date.
 #
 ( cd "${pkglint_dir}" \
-  && ${BMAKE} fetch SKIP_AUDIT_PACKAGES=yes >/dev/null 2>&1
+  && ${BMAKE} fetch >/dev/null 2>&1
 ) || {
        echo "Updating pkgtools"
        ( cd "${pkgsrc_dir}/pkgtools/pkg_install" \
diff -r 2f4d5ffdd83e -r 3e1486558226 mk/defaults/mk.conf
--- a/mk/defaults/mk.conf       Wed Nov 23 14:59:44 2005 +0000
+++ b/mk/defaults/mk.conf       Wed Nov 23 18:27:13 2005 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: mk.conf,v 1.94 2005/11/17 00:28:48 rillig Exp $
+# $NetBSD: mk.conf,v 1.95 2005/11/23 18:27:13 erh Exp $
 #
 
 # This file provides default values for variables that may be overridden
@@ -15,20 +15,12 @@
 # NOTE TO PEOPLE EDITING THIS FILE - USE LEADING SPACES, NOT LEADING TABS.
 # ************************************************************************
 
-#ALLOW_VULNERABILITIES.<pkgname>=
-# List of vulnerability ids to ignore when performing audit-packages
-# check when building a package.  
-# Possible: one or more vulnerabilities ids,
-#           or the word "yes" to allow all. (not recommended)
+#ALLOW_VULNERABLE_PACKAGES=
+# allow the user to build packages which are known to be vulnerable to
+# security exploits
+# Possible: defined, not defined
 # Default: not defined
 
-SKIP_AUDIT_PACKAGES?=no
-# Completely skip running audit-packages to check for vulnerable packages.
-# Specifying individual vulnerabilities with
-# ALLOW_VULNERABILITIES.<pkgname>=<vulnid> is preferred to using this.
-# Possible: yes, no
-# Default: no
-
 MANINSTALL?= maninstall catinstall
 # Specify manpage installation types.
 # Possible: maninstall, catinstall, both types or empty



Home | Main Index | Thread Index | Old Index