diff options
| author | jlam <jlam@pkgsrc.org> | 2006-07-05 09:08:35 +0000 |
|---|---|---|
| committer | jlam <jlam@pkgsrc.org> | 2006-07-05 09:08:35 +0000 |
| commit | 990d0b53771974e8526315776af82fd9b4961c14 (patch) | |
| tree | 266445424a702f9333f761cfa65f977c42683645 /mk/flavor | |
| parent | e3b97d774b9eb87dcd011ba0aeca7f60d35eeb86 (diff) | |
| download | pkgsrc-990d0b53771974e8526315776af82fd9b4961c14.tar.gz | |
Make the check-vulnerable target more self-sufficient, by moving some
of the logic from fetch/fetch.mk into flavor/pkg/check.mk, so that
check-vulnerable can be used as a source target.
Make check-vulnerable a source target for every phase of the build
workflow, which ensures that it is always run if the user starts a
new phase from the command line.
Fix the cookie-generation targets so that they don't append, only
overwrite to the cookie file. This works around potential problems
due to recursive makes.
Move the cookie checks so that they surround the corresponding phase
target. The presence of the cookie should now inform the make process
to avoid doing any processing of phases that occur before the phase
corresponding to the cookie.
Diffstat (limited to 'mk/flavor')
| -rw-r--r-- | mk/flavor/pkg/check.mk | 51 |
1 files changed, 39 insertions, 12 deletions
diff --git a/mk/flavor/pkg/check.mk b/mk/flavor/pkg/check.mk index 537599df581..8b4eddede20 100644 --- a/mk/flavor/pkg/check.mk +++ b/mk/flavor/pkg/check.mk @@ -1,4 +1,4 @@ -# $NetBSD: check.mk,v 1.1 2006/06/03 23:11:42 jlam Exp $ +# $NetBSD: check.mk,v 1.2 2006/07/05 09:08:35 jlam Exp $ ###################################################################### ### check-vulnerable (PUBLIC, pkgsrc/mk/check/check.mk) @@ -12,16 +12,43 @@ ### .PHONY: check-vulnerable check-vulnerable: - @if [ ! -z "${PKG_SYSCONFDIR.audit-packages}" -a -f ${PKG_SYSCONFDIR.audit-packages}/audit-packages.conf ]; then \ - . ${PKG_SYSCONFDIR.audit-packages}/audit-packages.conf; \ - elif [ ! -z "${PKG_SYSCONFDIR}" -a -f ${PKG_SYSCONFDIR}/audit-packages.conf ]; then \ - . ${PKG_SYSCONFDIR}/audit-packages.conf; \ +.if defined(ALLOW_VULNERABLE_PACKAGES) + @${DO_NADA} +.else + ${_PKG_SILENT}${_PKG_DEBUG} \ + vulnfile=${PKGVULNDIR:Q}/pkg-vulnerabilities; \ + if ${TEST} ! -f "$$vulnfile"; then \ + ${PHASE_MSG} "Skipping vulnerability checks."; \ + ${WARNING_MSG} "No $$vulnfile file found."; \ + ${WARNING_MSG} "To fix, install the pkgsrc/security/audit-packages"; \ + ${WARNING_MSG} "package and run: \`\`${LOCALBASE}/sbin/download-vulnerability-list''."; \ + exit 0; \ fi; \ - if [ -f ${PKGVULNDIR}/pkg-vulnerabilities ]; then \ - ${SETENV} PKGNAME=${PKGNAME} \ - PKGBASE=${PKGBASE} \ - ${AWK} '/^$$/ { next } \ - /^#.*/ { next } \ - $$1 !~ ENVIRON["PKGBASE"] && $$1 !~ /\{/ { next } \ - { s = sprintf("${PKG_ADMIN} pmatch \"%s\" %s && ${ECHO} \"*** WARNING - %s vulnerability in %s - see %s for more information ***\"", $$1, ENVIRON["PKGNAME"], $$2, ENVIRON["PKGNAME"], $$3); system(s); }' < ${PKGVULNDIR}/pkg-vulnerabilities || ${FALSE}; \ + ${PHASE_MSG} "Checking for vulnerabilities in ${PKGNAME}"; \ + conffile=; \ + for dir in \ + __dummy \ + ${PKG_SYSCONFDIR.audit-packages:Q}"" \ + ${PKG_SYSCONFDIR:Q}""; \ + do \ + case $$dir in \ + /*) conffile="$$dir/audit-packages.conf"; break ;; \ + *) continue ;; \ + esac; \ + done; \ + if ${TEST} -z "$$conffile" -a -f "$$conffile"; then \ + . $$conffile; \ + fi; \ + ${SETENV} PKGNAME=${PKGNAME} \ + PKGBASE=${PKGBASE} \ + ${AWK} 'BEGIN { exitcode = 0 } \ + /^$$/ { next } \ + /^#.*/ { next } \ + $$1 !~ ENVIRON["PKGBASE"] && $$1 !~ /\{/ { next } \ + { s = sprintf("${PKG_ADMIN} pmatch \"%s\" %s && ${ERROR_MSG:S/"/\"/g} \"%s vulnerability in %s - see %s for more information\"", $$1, ENVIRON["PKGNAME"], $$2, ENVIRON["PKGNAME"], $$3); if (system(s) == 0) { print $$1; exitcode += 1 }; } \ + END { exit exitcode }' < $$vulnfile || ${FALSE}; \ + if ${TEST} "$$?" -ne 0; then \ + ${ERROR_MSG} "Define ALLOW_VULNERABLE_PACKAGES if this package is absolutely essential"; \ + ${FALSE}; \ fi +.endif |