What does DISABLE_VULNERABILITIES=yes really mean?

gladiola

Active Member

Reaction score: 7
Messages: 109

What does make DISABLE_VULNERABILITIES=yes really mean? When port maintainers put this in the script, does this mean that they are taking a standard type of action for the port? Are they leaving out features or files known to contribute to a vulnerability? Is there a standard path or principle that's guiding the use of that argument?

When I looked up this phrase on the forum search, it seemed to dredge up many individual cases. In one instance, it seemed that a lower version, still vulnerable, was being used. I found that surprising.

If it's not patching, and it's not upgrading, and it's sometimes downgrading; then what is it doing? Is it just an acknowledgement of the CVEs? Also, if there's a reference that tells us about it, please let me know.
 

talsamon

Daemon

Reaction score: 284
Messages: 1,835

A port with IGNORE statement in the Makefile, is blocked and cannot be build. DISABLE_VULNERABILITIES=yes make it possible to build it (if someone need it and ignores vulnerability).
This changes nothing, the port is still vulnerable.
 
OP
gladiola

gladiola

Active Member

Reaction score: 7
Messages: 109

Well, that sound remarkably like the exact opposite of what I was hoping for. Perhaps it should have been called ENABLE_VULNERABILITIES=yes.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 9,504
Messages: 34,294

A port with IGNORE statement in the Makefile, is blocked and cannot be build.
No. It's still going to be IGNORED. This has nothing to do with DISABLE_VULNERABILITIES. IGNORE is used for example if a port doesn't build due to errors, or some other case where trying to build it would simply fail.

It has to do with pkg-audit(8) that flags a port as vulnerable. If pkg-audit(8) flags a port as vulnerable the system will prevent you from installing it. Setting DISABLE_VULNERABILITIES allows you to ignore (i.e. disable) that security check.

Are they leaving out features or files known to contribute to a vulnerability?
No, it simply disables the security check that stops you from building it. It's just as vulnerable as before. The idea here is that you are made AWARE of the vulnerability.
 
OP
gladiola

gladiola

Active Member

Reaction score: 7
Messages: 109

Setting DISABLE_VULNERABILITIES allows you to ignore (i.e. disable) that security check.
Any way that can become "DISABLE_SECURITY_CHECK"?

It really seems like it is named to turn off the vulns. This argument is enabling them. If it is disabling the check, that's a different action than disabling a vulnerability.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 9,504
Messages: 34,294

Any way that can become "DISABLE_SECURITY_CHECK"?
I doubt it.
Code:
20050609:
AUTHOR: portmgr@FreeBSD.org
The following changes were introduced:

  * Improve documentation of CONFLICTS.

  * Fix add-plist-docs target to work correctly with wildcards.

  * Fix USE_MYSQL and USE_PGSQL knobs to work in partial ports
    tree.

  * Introduce 2 new variables: USE_FAM and WANT_FAM_SYSTEM.

  * Suppress "Vulnerability check disabled" message if
    DISABLE_VULNERABILITIES is defined.


The variable has been around for at least 15 years.
 
Top