On Thu, Jun 14, 2001 at 09:16:02AM +0900, itojun@iijlab.net wrote:
> 
> >Just point me to the thread if I missed a discussion...
> >Right now distfiles/vulnerabilities says ssh<1.2.31 is vulnerable.
> >The latest version in pkgsrc is 1.2.27nb1, whose patch-ac seems to
> >address the issue that the vulnerabilities file points to.
> >So... should security/ssh be marked BROKEN, or the entry in
> >vulnerabilties be removed, or... something else?
> >Currently the package is 'clean', but audit-packages reports it broken.
> >That's bad.
> 
> 	basically i would suggest using openssh.  should we really mark
> 	security/ssh BROKEN?  or move security/ssh to ssh.som ssh 3.x?

The comment in the Makefile seems to indicate that we're not allowed to
modify versions >1.2.28

# We do not upgrade to 1.2.28 and beyond, intentionally.  There was
license
# change between 1.2.27 and 1.2.28, and the new license prohibits us
from
# modifying/redistributing it.

This problem affects security/ssh6 as well, of course.

I'd rather see it marked BROKEN than have people install it, get no
warning, and expose their systems.

-- 
David Maxwell, david@vex.net|david@maxwell.net --> The only difference I see
between voodoo and marketing research is that voodoo sometimes works! 
						- Leonard Stern