acknownledge EOLed 'security vulnerabilities' in daily run output

rickvanderzwet

New Member

Reaction score: 5
Messages: 10

Since www/trac has not been updated to python3 I am stuck with lang/python27.

In my daily security run output email I have suspended notifications only showing me errors and warnings:
$ grep daily_show /etc/periodic.conf
daily_show_success="NO"
daily_show_info="NO"


How-ever I now get an email every day reminding I need to upgrade python.
Checking for packages with security vulnerabilities:
python27-2.7.17_1: Tag: expiration_date Value: 2020-12-31
python27-2.7.17_1: Tag: deprecated Value: EOLed upstream

which is generated by /usr/local/etc/periodic/security/410.pkg-audit

I would like to acknowledge and suspend the message, keeping the other security vulnerabilities warnings, any ideas?
 

tnpimatt

New Member

Reaction score: 4
Messages: 12

I don't see a solution (a periodic.conf twiddle) based on the existing code in that script but editing 410.pkg-audit and deleting the 3 occurrences of 'expiration' and 'deprecation' inside the for lists does the trick.

I wouldn't typically recommend disabling security reporting, but most often these reports are false positives. Useless daily noise. These reports could be improved (quieted) substantially by ignoring build dependencies.
 

olli@

Aspiring Daemon
Developer

Reaction score: 850
Messages: 807

Maybe the “expecto” utility can help. I’ve written it specifically to filter out useless things from the daily run output, leaving only the really important messages. It has a certain learning curve, though, and requires some time to configure properly.

I have to admit that it’s still Python2, and the included examples are for FreeBSD 9. But migrating it to Python3 is on top of my priority list. :)
 

getopt

Aspiring Daemon

Reaction score: 590
Messages: 850

The warnings do have a purpose: They are meant to nag on you.

If you cannot stand the nagging pass it on to whom it may concern. Write PRs!
If you scan the ports tree for dependency of lang/python2 it still shows that even important ports use it. This problem is not going to be resolved by putting your head in the sand.
Expiration Date EXPIRATION DATE: 2020-12-31

In June 2019 I wrote this:
 

ekvz

Well-Known Member

Reaction score: 271
Messages: 431

The warnings do have a purpose: They are meant to nag on you.

If you cannot stand the nagging pass it on to whom it may concern. Write PRs!
If you scan the ports tree for Python2 it still shows that even important ports use it. This problem is not going to be resolved by putting your head in the sand.

Yes, that would be the most practical approach. I wonder how viable that is for something like www/trac though. I am already annoyed enough by having to read up on python to hopefully be able to patch some brain dead build systems (which should not rely on python in the first place - period). If it would come down to fixing a whole application i'd probably just curse the upstream and look for workarounds too (until i can replace the application with something not written in python that is).
 

getopt

Aspiring Daemon

Reaction score: 590
Messages: 850

I wonder how viable that is for something like www/trac though.

Searching PRs only this exists for www/trac:

If it is a problem with the port contact the maintainer or write a PR.
The ports have 1.2.5_1

If it is an upstream problem nag upstream.
Upstream has 1.4 (check if they still use Python2).

If you can fix it yourself, provide a patch.
 

olli@

Aspiring Daemon
Developer

Reaction score: 850
Messages: 807

The warnings do have a purpose: They are meant to nag on you.
That’s true, but sometimes you just can’t do anything about it, and then the nagging serves no purpose. Even worse, the flood of nagging messages might hide other messages that are more important to you.

I can tell you that I do whatever I’m able to do, but there are only 24 hours per day, and FreeBSD is not the only hobby I care about (and not even the most important one). When I have the choose between reading some pages of nagging messages and playing Lego with my grand niece, guess what I prefer … ;)
 

tnpimatt

New Member

Reaction score: 4
Messages: 12

It's not as simple as submitting a PR. Plenty of upstream (outside of FreeBSD ports) projects like node.js have legacy dependencies on python 27. I don't wish to receive nightly reminders of this fact for the next 12-18 months while the build dependencies and test frameworks and 3rd party modules of those projects are updated. Therefore, this is a better solution for me, for now:

Code:
sed -i.bak -e 's/audit expiration deprecation/audit/g' /usr/local/etc/periodic/security/410.pkg-audit
 

chrcol

Well-Known Member

Reaction score: 44
Messages: 441

I dont mind been warned a port will expire, but they are a bit aggressive, e.g. it claims Bind 9.11 is EOL when upstream it is actually the current supported LTS release. The expiry date is over a year away, a bit too soon to nag. On the flip side it was a good reminder for me to migrate away from python2 packages.
 
Top