Subject: Re: ALLOW_VULNERABLE_PACKAGES should be precise
To: None <tech-pkg@NetBSD.org>
From: Jeremy C. Reed <reed@reedmedia.net>
List: tech-pkg
Date: 08/26/2005 09:26:04
> : I do agree that even though ALLOW_VULNERABLE_PACKAGES is set, a
> : warning should be given during the install of any recursively
> : pulled in packages.
>
> I absolutely agree.
This means it will check every time. The following is a patch. (You can
test in archivers/gcpio.) What should it say if you do have
ALLOW_VULNERABLE_PACKAGES defined?
Index: mk/bsd.pkg.mk
===================================================================
RCS file: /cvsroot/pkgsrc/mk/bsd.pkg.mk,v
retrieving revision 1.1718
diff -b -u -r1.1718 bsd.pkg.mk
--- mk/bsd.pkg.mk 26 Aug 2005 14:47:30 -0000 1.1718
+++ mk/bsd.pkg.mk 26 Aug 2005 16:23:10 -0000
@@ -1371,10 +1371,11 @@
{ s = sprintf("${PKG_ADMIN} pmatch \"%s\" %s && ${ECHO} \"*** WARNING - %s vulnerability in %s - see %s for more information ***\"", $$1, ENVIRON["PKGNAME"], $$2, ENVIRON["PKGNAME"], $$3); system(s); }' < ${PKGVULNDIR}/pkg-vulnerabilities || ${FALSE}; \
fi
+CHECK_VULNERABLE_PACKAGES?= YES
.PHONY: do-fetch
.if !target(do-fetch)
do-fetch:
-. if !defined(ALLOW_VULNERABLE_PACKAGES)
+. if !empty(CHECK_VULNERABLE_PACKAGES:M[Yy][Ee][Ss])
${_PKG_SILENT}${_PKG_DEBUG} \
if [ -f ${PKGVULNDIR}/pkg-vulnerabilities ]; then \
${ECHO_MSG} "${_PKGSRC_IN}> Checking for vulnerabilities in ${PKGNAME}"; \
@@ -1382,8 +1383,13 @@
case "$$vul" in \
"") ;; \
*) ${ECHO} "$$vul"; \
+ if ${TEST} -z "${ALLOW_VULNERABLE_PACKAGES}"; then \
${ECHO} "or define ALLOW_VULNERABLE_PACKAGES if this package is absolutely essential"; \
- ${FALSE} ;; \
+ ${FALSE} ; \
+ else \
+ ${ECHO} "ALLOW_VULNERABLE_PACKAGES is defined." ; \
+ fi \
+ ;; \
esac; \
else \
${ECHO_MSG} "${_PKGSRC_IN}> *** No ${PKGVULNDIR}/pkg-vulnerabilities file found,"; \
If okay, I'll commit.
Jeremy C. Reed
BSD News, BSD tutorials, BSD links
http://www.bsdnewsletter.com/