Subject: Re: removing vulnerable packages vs. marking them BROKEN (was: CVS commit: doc)
To: None <>
From: Thomas Klausner <>
List: tech-pkg
Date: 07/15/2002 18:42:15
On Mon, Jul 15, 2002 at 12:32:41PM -0400, Greg A. Woods wrote:
> > Removed gnut [vulnerable and no newer version available]
> [[ that should be "net/gnut 0.4.20", right?  :-) ]]
> (and there is a newer version available, 0.4.28 -- but presumably it's
> still vulnerable)

0.4.28 is supposed to not be vulnerable. The homepage disappeared,
though, and I didn't find a newer distfile than 0.4.27 (the last
vulnerable version).

> I agree that keeping such things around can create clutter, but on the
> other hand not all vulnerabilities are so black and white -- often the
> risks are quite specific and won't necessarily affect everyone who might
> use the package.  Some of those users might even be able to find a fix
> if they know where the vulnerability is documented.

In this particular case, the vulnerability was added to the
vulnerabilities file (see security/audit-packages).

In general, I'm not opposed to marking packages as BROKEN, but if they
stay BROKEN for too long, I am for removing them completely since
there obviously is not enough interest in keeping them around.


Thomas Klausner -
Intolerance is the last defense of the insecure.