[ On Sunday, July 14, 2002 at 23:28:44 (+0300), Thomas Klausner wrote: ]
> Subject: CVS commit: doc
>
> 
> Module Name:	doc
> Committed By:	wiz
> Date:		Sun Jul 14 20:28:43 UTC 2002
> 
> Modified Files:
> 	doc: pkg-CHANGES
> 
> Log Message:
> Removed gnut [vulnerable and no newer version available]

[[ that should be "net/gnut 0.4.20", right?  :-) ]]

(and there is a newer version available, 0.4.28 -- but presumably it's
still vulnerable)

"removed" as in "cvs rm"?  that seems like the wrong response in general
to a situation like this (though perhaps not for this specific case, now
that I read your full comments for the removed files).

In general I'd like to see something done more along the lines of what
the FreeBSD folks do when a package gets into a situation like this,
which is to mark the package as "BROKEN" (giving a reason in the string
value for this make macro).  Support for "BROKEN" is still in NetBSD
pkgsrc.

I agree that keeping such things around can create clutter, but on the
other hand not all vulnerabilities are so black and white -- often the
risks are quite specific and won't necessarily affect everyone who might
use the package.  Some of those users might even be able to find a fix
if they know where the vulnerability is documented.

(FYI I don't use gnut, and in fact have never used anything like it ;-)

-- 
								Greg A. Woods

+1 416 218-0098;            <g.a.woods@ieee.org>;           <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>