pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: [HEADSUP] Removing vulnerable packages



I also disagree with the premise here -- packages that are useless or
dead upstream or clearly not being used by anyone should perhaps be
removed, but I don't think the existence of vulnerabilities (some of
which are sometimes trivial or scarcely worth taking note of) is a
good predictor of any of the other properties.

On Fri, Apr 08, 2011 at 01:20:09PM +0200, Thomas Klausner wrote:
 > For these packages noone has spoken up:
 > 
 > amaya-10.0.1

amaya is a huge road accident. I would advise against removing it just
on the grounds that if anyone decides they want it back in the future,
having the existing package readily available for reference makes it
much more likely that they'll be able to get it to build.

However, there's a also good argument to be made for terminating it
with prejudice and not allowing it back.

 > bugzilla-2.22.7
 > bugzilla-3.2.4

This I think falls into the category of packages it would be
embarrassing to remove.

 > quake3arena-1.32b
 > quake3server-1.32b

These shouldn't be removed either, unless we think nobody will ever
want to run them again. Are fixes even available?

 > vlc08-0.8.6i

isn't this a low-severity issue that's been blown off by upstream?

-- 
David A. Holland
dholland%netbsd.org@localhost


Home | Main Index | Thread Index | Old Index