On Fri, Mar 31, 2006 at 02:11:11PM -0500, Anne Bennett wrote:
>   (a) When audit-packages tells me that an installed package has a
>       vulnerability, what actions do you recommend that I perform
>       in reaction to that report?  (Each package's web page states "If
>       you have a vulnerable package installed on any machine, you are
>       advised to remove the package immediately" - which is not
>       terrifically helpful in practice!)

Check if there is an update. For the branch, security fixes are normally
pulled up immediate or after a short time for testing. If no update
exists, you are kind of screwed. Evaluate whether you really need the
package at the moment and how bad a comprise would be. As member of the 
pkgsrc security team I can promise you, that we do our best to provide
security fixes if possible. Sometimes it isn't or too much work. It
can help to ask the vendor of a specific program for a security fix, but
we also have a number of unfixed, long standing issues. Not really our
fault in some cases. :-)

>   (b) When I want to upgrade a particular package (for example because
>       I need its new functionality), how do you recommend that I do
>       this, bearing in mind that I have a lot of other software
>       installed and in use on the system?

You can try to cherry pick changes from pkgsrc current, but for !leaf
packages it can be quite a lot of work and risky. The situation is
similiar to Debian: either use a stable version or the current tree, but
mixing is problematic.

Joerg