Subject: Re: removing vulnerable packages vs. marking them BROKEN (was: CVS commit: doc)
To: None <>
From: Greg A. Woods <>
List: tech-pkg
Date: 07/15/2002 12:32:41
[ On Sunday, July 14, 2002 at 23:28:44 (+0300), Thomas Klausner wrote: ]
> Subject: CVS commit: doc
> Module Name:	doc
> Committed By:	wiz
> Date:		Sun Jul 14 20:28:43 UTC 2002
> Modified Files:
> 	doc: pkg-CHANGES
> Log Message:
> Removed gnut [vulnerable and no newer version available]

[[ that should be "net/gnut 0.4.20", right?  :-) ]]

(and there is a newer version available, 0.4.28 -- but presumably it's
still vulnerable)

"removed" as in "cvs rm"?  that seems like the wrong response in general
to a situation like this (though perhaps not for this specific case, now
that I read your full comments for the removed files).

In general I'd like to see something done more along the lines of what
the FreeBSD folks do when a package gets into a situation like this,
which is to mark the package as "BROKEN" (giving a reason in the string
value for this make macro).  Support for "BROKEN" is still in NetBSD

I agree that keeping such things around can create clutter, but on the
other hand not all vulnerabilities are so black and white -- often the
risks are quite specific and won't necessarily affect everyone who might
use the package.  Some of those users might even be able to find a fix
if they know where the vulnerability is documented.

(FYI I don't use gnut, and in fact have never used anything like it ;-)

								Greg A. Woods

+1 416 218-0098;            <>;           <>
Planix, Inc. <>; VE3TCP; Secrets of the Weird <>