Subject: Re: security/ssh vs distfiles/vulnerabilities
To: None <firstname.lastname@example.org>
From: David Maxwell <email@example.com>
Date: 06/13/2001 21:36:44
On Thu, Jun 14, 2001 at 09:16:02AM +0900, firstname.lastname@example.org wrote:
> >Just point me to the thread if I missed a discussion...
> >Right now distfiles/vulnerabilities says ssh<1.2.31 is vulnerable.
> >The latest version in pkgsrc is 1.2.27nb1, whose patch-ac seems to
> >address the issue that the vulnerabilities file points to.
> >So... should security/ssh be marked BROKEN, or the entry in
> >vulnerabilties be removed, or... something else?
> >Currently the package is 'clean', but audit-packages reports it broken.
> >That's bad.
> basically i would suggest using openssh. should we really mark
> security/ssh BROKEN? or move security/ssh to ssh.som ssh 3.x?
The comment in the Makefile seems to indicate that we're not allowed to
modify versions >1.2.28
# We do not upgrade to 1.2.28 and beyond, intentionally. There was
# change between 1.2.27 and 1.2.28, and the new license prohibits us
# modifying/redistributing it.
This problem affects security/ssh6 as well, of course.
I'd rather see it marked BROKEN than have people install it, get no
warning, and expose their systems.
David Maxwell, email@example.comfirstname.lastname@example.org --> The only difference I see
between voodoo and marketing research is that voodoo sometimes works!
- Leonard Stern