Salut,
Not too infrequently, packages are added to pkgsrc which have had
security problems in the past; I have at least the feeling that
sometimes we add packages with security problems but we don't know
about it since the pkgsrc-security problem only monitors from the time
the package is added.
I understand that the burden of ensuring security of a package lies
with the person who adds it, but I can see that this might be slightly
uneasy, and packages might slip through. Do we currently have any
procedure to prevent this?
Most of the time, the pkgsrc-security team already has all the tickets
in question at hand, but we don't currently monitor package additions
(to my knowledge?). Should we try to monitor package additions as well,
looking for potentially hazardous packages and re-opening old tickets
in question?
One might of course as well always assume that the latest upstream
packages are not affected by any security problems but that strikes me
at slightly naïve.
Tonnerre
Attachment:
signature.asc
Description: PGP signature