# acknownledge EOLed 'security vulnerabilities' in daily run output



## rickvanderzwet (Mar 3, 2020)

Since www/trac has not been updated to python3 I am stuck with lang/python27. 

In my daily security run output email I have suspended notifications only showing me errors and warnings:
`$ grep daily_show /etc/periodic.conf`
`daily_show_success="NO" 
daily_show_info="NO"`

How-ever I now get an email every day reminding I need to upgrade python.


> Checking for packages with security vulnerabilities:
> python27-2.7.17_1: Tag: expiration_date Value: 2020-12-31
> python27-2.7.17_1: Tag: deprecated Value: EOLed upstream



which is generated by  /usr/local/etc/periodic/security/410.pkg-audit

I would like to acknowledge and suspend the message, keeping the other security vulnerabilities warnings, any ideas?


----------



## tnpimatt (Sep 21, 2020)

I don't see a solution (a periodic.conf twiddle) based on the existing code in that script but editing 410.pkg-audit and deleting the 3 occurrences of 'expiration' and 'deprecation' inside the for lists does the trick.

I wouldn't typically recommend disabling security reporting, but most often these reports are false positives. Useless daily noise. These reports could be improved (quieted) substantially by ignoring build dependencies.


----------



## olli@ (Sep 22, 2020)

Maybe the “expecto” utility can help. I’ve written it specifically to filter out useless things from the daily run output, leaving only the really important messages. It has a certain learning curve, though, and requires some time to configure properly.

I have to admit that it’s still Python2, and the included examples are for FreeBSD 9. But migrating it to Python3 is on top of my priority list.


----------



## getopt (Sep 22, 2020)

The warnings do have a purpose: They are meant to nag on you.

If you cannot stand the nagging pass it on to whom it may concern. Write PRs!
If you scan the ports tree for dependency of lang/python2 it still shows that even important ports use it. This problem is not going to be resolved by putting your head in the sand.


 EXPIRATION DATE: 2020-12-31

In June 2019 I wrote this:








						As python27 approaches EOL, important ports still depend on
					

See which of your installed ports still depend on lang/python27  pkg query '%m : %o still depends on EOL 2020-01-01 %dn' | grep 'python27$'  Some maintainers may need a wake up call ;)




					forums.freebsd.org


----------



## ekvz (Sep 22, 2020)

getopt said:


> The warnings do have a purpose: They are meant to nag on you.
> 
> If you cannot stand the nagging pass it on to whom it may concern. Write PRs!
> If you scan the ports tree for Python2 it still shows that even important ports use it. This problem is not going to be resolved by putting your head in the sand.



Yes, that would be the most practical approach. I wonder how viable that is for something like www/trac though. I am already annoyed enough by having to read up on python to hopefully be able to patch some brain dead build systems (which should not rely on python in the first place - period). If it would come down to fixing a whole application i'd probably just curse the upstream and look for workarounds too (until i can replace the application with something not written in python that is).


----------



## getopt (Sep 22, 2020)

ekvz said:


> I wonder how viable that is for something like www/trac though.



Searching PRs only this exists for www/trac:




__





						Bug List
					






					bugs.freebsd.org
				




If it is a problem with the port contact the maintainer or write a PR. 
The ports have *1.2.5_1*

If it is an upstream problem nag upstream. 
Upstream has *1.4 *(check if they still use Python2).

If you can fix it yourself, provide a patch.


----------



## olli@ (Sep 22, 2020)

getopt said:


> The warnings do have a purpose: They are meant to nag on you.


That’s true, but sometimes you just can’t do anything about it, and then the nagging serves no purpose. Even worse, the flood of nagging messages might hide other messages that are more important to you.

I can tell you that I do whatever I’m able to do, but there are only 24 hours per day, and FreeBSD is not the only hobby I care about (and not even the most important one). When I have the choose between reading some pages of nagging messages and playing Lego with my grand niece, guess what I prefer …


----------



## tnpimatt (Sep 22, 2020)

It's not as simple as submitting a PR. Plenty of upstream (outside of FreeBSD ports) projects like node.js have legacy dependencies on python 27. I don't wish to receive nightly reminders of this fact for the next 12-18 months while the build dependencies and test frameworks and 3rd party modules of those projects are updated. Therefore, this is a better solution for me, for now:


```
sed -i.bak -e 's/audit expiration deprecation/audit/g' /usr/local/etc/periodic/security/410.pkg-audit
```


----------



## chrcol (Oct 13, 2020)

I dont mind been warned a port will expire, but they are a bit aggressive, e.g. it claims Bind 9.11 is EOL when upstream it is actually the current supported LTS release.  The expiry date is over a year away, a bit too soon to nag.  On the flip side it was a good reminder for me to migrate away from python2 packages.


----------

