# What does DISABLE_VULNERABILITIES=yes really mean?



## gladiola (Apr 20, 2019)

What does `make DISABLE_VULNERABILITIES=yes` really mean?  When port maintainers put this in the script, does this mean that they are taking a standard type of action for the port?  Are they leaving out features or files known to contribute to a vulnerability?  Is there a standard path or principle that's guiding the use of that argument?

When I looked up this phrase on the forum search, it seemed to dredge up many individual cases.  In one instance, it seemed that a lower version, still vulnerable, was being used.  I found that surprising. 

If it's not patching, and it's not upgrading, and it's sometimes downgrading; then what is it doing?  Is it just an acknowledgement of the CVEs?  Also, if there's a reference that tells us about it, please let me know.


----------



## talsamon (Apr 20, 2019)

A port with IGNORE statement in the Makefile, is blocked and cannot be build. `DISABLE_VULNERABILITIES=yes` make it possible to build it (if someone need it and ignores vulnerability).
This changes nothing, the port is still vulnerable.


----------



## gladiola (Apr 22, 2019)

Well, that sound remarkably like the exact opposite of what I was hoping for.  Perhaps it should have been called ENABLE_VULNERABILITIES=yes.


----------



## SirDice (Apr 23, 2019)

talsamon said:


> A port with IGNORE statement in the Makefile, is blocked and cannot be build.


No. It's still going to be IGNORED. This has nothing to do with DISABLE_VULNERABILITIES. IGNORE is used for example if a port doesn't build due to errors, or some other case where trying to build it would simply fail. 

It has to do with pkg-audit(8) that flags a port as vulnerable. If pkg-audit(8) flags a port as vulnerable the system will prevent you from installing it. Setting DISABLE_VULNERABILITIES allows you to ignore (i.e. disable) that security check.



gladiola said:


> Are they leaving out features or files known to contribute to a vulnerability?


No, it simply disables the security check that stops you from building it. It's just as vulnerable as before. The idea here is that you are made AWARE of the vulnerability.


----------



## gladiola (Apr 23, 2019)

SirDice said:


> Setting DISABLE_VULNERABILITIES allows you to ignore (i.e. disable) that security check.


Any way that can become "DISABLE_SECURITY_CHECK"?

It really seems like it is named to turn off the vulns. This argument is enabling them. If it is disabling the check, that's a different action than disabling a vulnerability.


----------



## SirDice (Apr 23, 2019)

gladiola said:


> Any way that can become "DISABLE_SECURITY_CHECK"?


I doubt it.

```
20050609:
AUTHOR: portmgr@FreeBSD.org
The following changes were introduced:

  * Improve documentation of CONFLICTS.

  * Fix add-plist-docs target to work correctly with wildcards.

  * Fix USE_MYSQL and USE_PGSQL knobs to work in partial ports
    tree.

  * Introduce 2 new variables: USE_FAM and WANT_FAM_SYSTEM.

  * Suppress "Vulnerability check disabled" message if
    DISABLE_VULNERABILITIES is defined.
```

The variable has been around for at least 15 years.


----------

