Re: Allow_vulnerable_packages= yes

[Edgar Rodolfo <cybernautape%gmail.com@localhost>]

2012/2/21 Greg Troxel <gdt%ir.bbn.com@localhost>:
>
> Edgar Rodolfo <rodolfobsd%gmail.com@localhost> writes:
>
>> Then i put in /usr/pkgsrc/mk/default/mk.conf
>> ALLOW_VULNERABLE_PACKAGES= yes
>> is a risk it?, if i don't put it i can't use squid and other packages
>> :(, currently i am using my small  server (squid and dns and other)
>
> Basically the situation is:
>
>  almost all software has vulnerabilities
>
>  some of those are known
>
>  some of the known ones are known publically
>
>  some of the publically known ones are listed in pkg-vulnerabilities
>
>  pkgsrc, by default, will not build (and perhaps not install) packages
>  which have a vulnerability listed in pkg-vulnerabilities
>
>  if you set ALLOW_VULNERABLE_PACKAGES=yes, then the check/stop for
>  packages in pkg-vulnerabilities is skipped.
>
> So "is it a risk" is a question about your particularly situation and
> the particular programs you are running, and there is no general
> answer.  Your choices are:
>
>  1) figure out how to stop using php and squid
>
>  2) install the new version anyway (perhaps figuring that replacing an
>  older version with a newer version is not incrementally worse, usually)
>
>  3) go read the advistory and figure out if ther's a new version and/or a
>  patch, and install that.  Optionally send a patch to the package to
>  help others out
>
>  4) turn off your computer until someone else does (3)
>

Thanks a lot for your recomendation.
I remember that i was using NetBSD 5.1.1 the last month and i was
using similar software, the same pkgsrc stable, i had not problem, is
strange for me...