Per request, back out all the SKIP_AUDIT_PACKAGES changes.

bsd.pkg.mk:1.1758-1.1752
bsd.prefs.mk:1.210
bulk/build:1.79
defaults/mk.conf:1.93-1.92

4 files changed, 27 insertions, 51 deletions

diff --git a/mk/bsd.pkg.mk b/mk/bsd.pkg.mk
index b02e65f3d70..346e61b761b 100644
--- a/mk/bsd.pkg.mk
+++ b/mk/bsd.pkg.mk
@@ -1,4 +1,4 @@
-#	$NetBSD: bsd.pkg.mk,v 1.1767 2005/11/22 03:41:20 jlam Exp $
+#	$NetBSD: bsd.pkg.mk,v 1.1768 2005/11/23 18:27:13 erh Exp $
 #
 # This file is in the public domain.
 #
@@ -1315,48 +1315,36 @@ batch-check-distfiles:
 	esac
 
 # check for any vulnerabilities in the package
-
-_AUDIT_PACKAGES_MIN_VERSION=1.40
-_AUDIT_PACKAGES_OK!=	${PKG_INFO} -qe 'audit-packages>=${_AUDIT_PACKAGES_MIN_VERSION}' ; echo $$?
-
-# Note: _any_ output from check-vulnerable is considered an error by do-fetch.
+# Please do not modify the leading "@" here
 .PHONY: check-vulnerable
 check-vulnerable:
-.if empty(_AUDIT_PACKAGES_OK:M0)
-	@${ECHO_MSG} "${_PKGSRC_IN}> *** The audit-packages package must be at least version ${_AUDIT_PACKAGES_MIN_VERSION}"
-	@${ECHO_MSG} "${_PKGSRC_IN}> *** Please install the security/audit-packages package and run";
-	@${ECHO_MSG} "${_PKGSRC_IN}> *** '${LOCALBASE}/sbin/download-vulnerability-list'.";
-	@false
-.else
-	@${AUDIT_PACKAGES} -i ""${ALLOW_VULNERABILITIES.${PKGBASE}:Q} -p ${PKGNAME:Q}
-.endif
-
-
-.if defined(ALLOW_VULNERABILITIES.${PKGBASE})
-_ALLOW_VULNERABILITIES=${ALLOW_VULNERABILITIES.${PKGBASE}}
-.else
-_ALLOW_VULNERABILITIES=#none
-.endif
+	@if [ ! -z "${PKG_SYSCONFDIR.audit-packages}" -a -f ${PKG_SYSCONFDIR.audit-packages}/audit-packages.conf ]; then \
+		. ${PKG_SYSCONFDIR.audit-packages}/audit-packages.conf; \
+	elif [ ! -z "${PKG_SYSCONFDIR}" -a -f ${PKG_SYSCONFDIR}/audit-packages.conf ]; then \
+		. ${PKG_SYSCONFDIR}/audit-packages.conf;		\
+	fi;								\
+	if [ -f ${PKGVULNDIR}/pkg-vulnerabilities ]; then		\
+		${SETENV} PKGNAME=${PKGNAME:Q}				\
+			  PKGBASE=${PKGBASE:Q}				\
+			${AWK} '/^$$/ { next }				\
+				/^#.*/ { next }				\
+				$$1 !~ ENVIRON["PKGBASE"] && $$1 !~ /\{/ { next } \
+				{ s = sprintf("${PKG_ADMIN} pmatch \"%s\" %s && ${ECHO} \"*** WARNING - %s vulnerability in %s - see %s for more information ***\"", $$1, ENVIRON["PKGNAME"], $$2, ENVIRON["PKGNAME"], $$3); system(s); }' < ${PKGVULNDIR}/pkg-vulnerabilities || ${FALSE}; \
+	fi
 
 .PHONY: do-fetch
 .if !target(do-fetch)
 do-fetch:
-.  if empty(SKIP_AUDIT_PACKAGES:M[Yy][Ee][Ss]) && empty(_ALLOW_VULNERABILITIES:M[Yy][Ee][Ss])
+.  if !defined(ALLOW_VULNERABLE_PACKAGES)
 	${_PKG_SILENT}${_PKG_DEBUG}					\
 	if [ -f ${PKGVULNDIR}/pkg-vulnerabilities ]; then		\
 		${ECHO_MSG} "${_PKGSRC_IN}> Checking for vulnerabilities in ${PKGNAME}"; \
-		vul=`${MAKE} ${MAKEFLAGS} check-vulnerable || ${TRUE}`;		\
+		vul=`${MAKE} ${MAKEFLAGS} check-vulnerable`;		\
 		case "$$vul" in						\
 		"")	;;						\
-		*vulnid:*)	vulnids=`echo "$$vul" | ${GREP} vulnid: | ${SED} -e's/.*vulnid:\\([[:digit:]]*\\).*/\\1/'`; \
-			${ECHO} "$$vul";				\
-			${ECHO} "or if this package is absolutely essential, add this to mk.conf:"; \
-			for vulnid in $$vulnids ; do \
-				${ECHO} " ALLOW_VULNERABILITIES.${PKGBASE}+=$$vulnid"; \
-			done ; \
+		*)	${ECHO} "$$vul";				\
+			${ECHO} "or define ALLOW_VULNERABLE_PACKAGES if this package is absolutely essential"; \
 			${FALSE} ;;					\
-		*) ${ECHO} "$$vul";				\
-			${FALSE} ;;                 \
 		esac;							\
 	else								\
 		${ECHO_MSG} "${_PKGSRC_IN}> *** No ${PKGVULNDIR}/pkg-vulnerabilities file found,"; \
@@ -1364,8 +1352,6 @@ do-fetch:
 		${ECHO_MSG} "${_PKGSRC_IN}> *** the pkgsrc/security/audit-packages package and run"; \
 		${ECHO_MSG} "${_PKGSRC_IN}> *** '${LOCALBASE}/sbin/download-vulnerability-list'."; \
 	fi
-.  else
-	@${ECHO_MSG} "${_PKGSRC_IN}> *** Skipping vulnerability checks for ${PKGNAME}"
 .  endif
 .  if !empty(_ALLFILES)
 	${_PKG_SILENT}${_PKG_DEBUG}					\
diff --git a/mk/bsd.prefs.mk b/mk/bsd.prefs.mk
index ca1830ced16..e8cc811bb69 100644
--- a/mk/bsd.prefs.mk
+++ b/mk/bsd.prefs.mk
@@ -1,4 +1,4 @@
-# $NetBSD: bsd.prefs.mk,v 1.210 2005/11/16 20:59:23 erh Exp $
+# $NetBSD: bsd.prefs.mk,v 1.211 2005/11/23 18:27:13 erh Exp $
 #
 # Make file, included to get the site preferences, if any.  Should
 # only be included by package Makefiles before any .if defined()
@@ -497,7 +497,6 @@ PKG_DELETE_CMD?=	${PKG_TOOLS_BIN}/pkg_delete
 PKG_INFO_CMD?=		${PKG_TOOLS_BIN}/pkg_info
 PKG_VIEW_CMD?=		${PKG_TOOLS_BIN}/pkg_view
 LINKFARM_CMD?=		${PKG_TOOLS_BIN}/linkfarm
-AUDIT_PACKAGES_CMD?=	${LOCALBASE}/sbin/audit-packages
 
 .if !defined(PKGTOOLS_VERSION)
 PKGTOOLS_VERSION!=	${PKG_INFO_CMD} -V 2>/dev/null || echo 20010302
@@ -528,7 +527,6 @@ PKG_DELETE?=		${PKGTOOLS_ENV} ${PKG_DELETE_CMD} ${PKGTOOLS_ARGS}
 PKG_INFO?=		${PKGTOOLS_ENV} ${PKG_INFO_CMD} ${PKGTOOLS_ARGS}
 PKG_VIEW?=		${PKGTOOLS_ENV} ${PKG_VIEW_CMD} ${PKG_VIEW_ARGS}
 LINKFARM?=		${LINKFARM_CMD}
-AUDIT_PACKAGES?=	${PKGTOOLS_ENV} ${AUDIT_PACKAGES_CMD} ${PKGTOOLS_ARGS}
 
 # "${PKG_BEST_EXISTS} pkgpattern" prints out the name of the installed
 # package that best matches pkgpattern.  Use this instead of
diff --git a/mk/bulk/build b/mk/bulk/build
index 5d0df84dc15..46f40eeeffe 100644
--- a/mk/bulk/build
+++ b/mk/bulk/build
@@ -1,5 +1,5 @@
 #!/bin/sh
-# $NetBSD: build,v 1.82 2005/11/20 11:18:45 rillig Exp $
+# $NetBSD: build,v 1.83 2005/11/23 18:27:13 erh Exp $
 
 #
 # Copyright (c) 1999, 2000 Hubert Feyrer <hubertf@NetBSD.org>
@@ -216,7 +216,7 @@ show_config_vars
 # Check that the package tools are up to date.
 #
 ( cd "${pkglint_dir}" \
-  && ${BMAKE} fetch SKIP_AUDIT_PACKAGES=yes >/dev/null 2>&1
+  && ${BMAKE} fetch >/dev/null 2>&1
 ) || {
 	echo "Updating pkgtools"
 	( cd "${pkgsrc_dir}/pkgtools/pkg_install" \
diff --git a/mk/defaults/mk.conf b/mk/defaults/mk.conf
index b859b9bc10f..2006203faf1 100644
--- a/mk/defaults/mk.conf
+++ b/mk/defaults/mk.conf
@@ -1,4 +1,4 @@
-# $NetBSD: mk.conf,v 1.94 2005/11/17 00:28:48 rillig Exp $
+# $NetBSD: mk.conf,v 1.95 2005/11/23 18:27:13 erh Exp $
 #
 
 # This file provides default values for variables that may be overridden
@@ -15,20 +15,12 @@
 # NOTE TO PEOPLE EDITING THIS FILE - USE LEADING SPACES, NOT LEADING TABS.
 # ************************************************************************
 
-#ALLOW_VULNERABILITIES.<pkgname>=
-# List of vulnerability ids to ignore when performing audit-packages
-# check when building a package.  
-# Possible: one or more vulnerabilities ids,
-#           or the word "yes" to allow all. (not recommended)
+#ALLOW_VULNERABLE_PACKAGES=
+# allow the user to build packages which are known to be vulnerable to
+# security exploits
+# Possible: defined, not defined
 # Default: not defined
 
-SKIP_AUDIT_PACKAGES?=no
-# Completely skip running audit-packages to check for vulnerable packages.
-# Specifying individual vulnerabilities with
-# ALLOW_VULNERABILITIES.<pkgname>=<vulnid> is preferred to using this.
-# Possible: yes, no
-# Default: no
-
 MANINSTALL?= maninstall catinstall
 # Specify manpage installation types.
 # Possible: maninstall, catinstall, both types or empty