[pkgsrc/trunk]: pkgsrc/mk Flip the switch on ALLOW_VULNERABLE_PACKAGES to all...

To: source-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/trunk]: pkgsrc/mk Flip the switch on ALLOW_VULNERABLE_PACKAGES to all...
From: maya <maya%pkgsrc.org@localhost>
Date: Thu, 28 May 2020 17:20:43 +0000

details:   https://anonhg.NetBSD.org/pkgsrc/rev/ea9fe3e5e1c9
branches:  trunk
changeset: 432991:ea9fe3e5e1c9
user:      maya <maya%pkgsrc.org@localhost>
date:      Thu May 28 16:22:58 2020 +0000

description:
Flip the switch on ALLOW_VULNERABLE_PACKAGES to allow them by default.

Right now, users who install the pkg-vulnerabilities database find that
the vast majority of packages fail to build, penalizing them too severely.
Package auditing can still be done via "pkg_admin audit".

Alternatively, the previous behaviour can be restored with
ALLOW_VULNERABLE_PACKAGES=no in mk.conf.

Additionally, bmake-ify the check.mk logic. It was easier to do this,
as the package relied on a single long ${RUN} command.

Proposed on tech-pkg, with no objections to the idea of changing the
default, just the method of doing so.

diffstat:

 mk/check/check-vulnerable.mk |   7 +------
 mk/defaults/mk.conf          |   6 +++---
 mk/pkgformat/pkg/check.mk    |  31 +++++++++++++++++++------------
 3 files changed, 23 insertions(+), 21 deletions(-)

diffs (91 lines):

diff -r 982eb4bfccde -r ea9fe3e5e1c9 mk/check/check-vulnerable.mk
--- a/mk/check/check-vulnerable.mk      Thu May 28 15:33:29 2020 +0000
+++ b/mk/check/check-vulnerable.mk      Thu May 28 16:22:58 2020 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: check-vulnerable.mk,v 1.5 2011/10/15 00:23:08 reed Exp $
+# $NetBSD: check-vulnerable.mk,v 1.6 2020/05/28 16:22:58 maya Exp $
 #
 # Public targets:
 #
@@ -6,13 +6,8 @@
 #      Checks for vulnerabilities in the package.
 #
 
-.if defined(ALLOW_VULNERABLE_PACKAGES)
-check-vulnerable: .PHONY
-       @${DO_NADA}
-.  else
 check-vulnerable: .PHONY _pkgformat-check-vulnerable
        @${DO_NADA}
-.endif
 
 # A package format does not need to implement this target, so provide a
 # default implementation.
diff -r 982eb4bfccde -r ea9fe3e5e1c9 mk/defaults/mk.conf
--- a/mk/defaults/mk.conf       Thu May 28 15:33:29 2020 +0000
+++ b/mk/defaults/mk.conf       Thu May 28 16:22:58 2020 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: mk.conf,v 1.310 2020/05/15 10:22:42 nia Exp $
+# $NetBSD: mk.conf,v 1.311 2020/05/28 16:22:58 maya Exp $
 #
 
 # This file provides default values for variables that may be overridden
@@ -31,8 +31,8 @@
 #ALLOW_VULNERABLE_PACKAGES=
 # allow the user to build packages which are known to be vulnerable to
 # security exploits
-# Possible: defined, not defined
-# Default: not defined
+# Possible: yes, no
+# Default: yes
 
 #AUDIT_PACKAGES_FLAGS=
 # List of flags passed to ``pkg_admin audit-pkg''.
diff -r 982eb4bfccde -r ea9fe3e5e1c9 mk/pkgformat/pkg/check.mk
--- a/mk/pkgformat/pkg/check.mk Thu May 28 15:33:29 2020 +0000
+++ b/mk/pkgformat/pkg/check.mk Thu May 28 16:22:58 2020 +0000
@@ -1,25 +1,32 @@
-# $NetBSD: check.mk,v 1.1 2011/10/15 00:23:09 reed Exp $
+# $NetBSD: check.mk,v 1.2 2020/05/28 16:22:58 maya Exp $
 #
 
 # _pkgformat-check-vulnerable:
 #      Checks for known vulnerabilities in the package if a vulnerability
 #      file exists.
 #
+
+ALLOW_VULNERABLE_PACKAGES?=    yes
+
 .if defined(NO_PKGTOOLS_REQD_CHECK)
 _pkgformat-check-vulnerable: .PHONY
        ${RUN}${DO_NADA}
 .else
+
+_VULNFILE:=    ${_EXTRACT_PKGVULNDIR:sh}/pkg-vulnerabilities
 _pkgformat-check-vulnerable: .PHONY
-       ${RUN}\
-       _PKGVULNDIR=`${_EXTRACT_PKGVULNDIR}`; \
-       vulnfile=$$_PKGVULNDIR/pkg-vulnerabilities;             \
-       if ${TEST} ! -f "$$vulnfile"; then                      \
-               ${PHASE_MSG} "Skipping vulnerability checks.";  \
-               ${WARNING_MSG} "No $$vulnfile file found.";     \
-               ${WARNING_MSG} "To fix run: \`${DOWNLOAD_VULN_LIST}'."; \
-               exit 0;                                         \
-       fi;                                                     \
-       ${PHASE_MSG} "Checking for vulnerabilities in ${PKGNAME}"; \
-       ${AUDIT_PACKAGES} ${_AUDIT_PACKAGES_CMD} ${AUDIT_PACKAGES_FLAGS} ${PKGNAME} \
+.  if exists(${_VULNFILE})
+       @${PHASE_MSG} "Checking for vulnerabilities in ${PKGNAME}"
+.    if !empty(ALLOW_VULNERABLE_PACKAGES:tl:Mno)
+       @${AUDIT_PACKAGES} ${_AUDIT_PACKAGES_CMD} ${AUDIT_PACKAGES_FLAGS} ${PKGNAME} \
        || ${FAIL_MSG} "Define ALLOW_VULNERABLE_PACKAGES in mk.conf or ${_AUDIT_CONFIG_OPTION} in ${_AUDIT_CONFIG_FILE}(5) if this package is absolutely essential."
+.    else
+       @${AUDIT_PACKAGES} ${_AUDIT_PACKAGES_CMD} ${AUDIT_PACKAGES_FLAGS} ${PKGNAME} || ${TRUE}
+.    endif
+.  else
+       @${PHASE_MSG} "Skipping vulnerability checks."
+       @${WARNING_MSG} "No ${_VULNFILE} file found."
+       @${WARNING_MSG} "To fix run: \`${DOWNLOAD_VULN_LIST}'."
+.  endif
+
 .endif

Prev by Date: [src/trunk]: src/usr.sbin/puffs/mount_9p Do not send dummy Tauth, it's comple...
Next by Date: [src/trunk]: src/distrib/common/bootimage Default USE_MBR to no
Previous by Thread: [src/trunk]: src/usr.sbin/puffs/mount_9p Do not send dummy Tauth, it's comple...
Next by Thread: [src/trunk]: src/distrib/common/bootimage Default USE_MBR to no
Indexes:

Home | Main Index | Thread Index | Old Index