Subject: Re: removing vulnerable packages vs. marking them BROKEN (was: CVS commit: doc)
To: None <firstname.lastname@example.org>
From: Thomas Klausner <email@example.com>
Date: 07/15/2002 18:42:15
On Mon, Jul 15, 2002 at 12:32:41PM -0400, Greg A. Woods wrote:
> > Removed gnut [vulnerable and no newer version available]
> [[ that should be "net/gnut 0.4.20", right? :-) ]]
> (and there is a newer version available, 0.4.28 -- but presumably it's
> still vulnerable)
0.4.28 is supposed to not be vulnerable. The homepage disappeared,
though, and I didn't find a newer distfile than 0.4.27 (the last
> I agree that keeping such things around can create clutter, but on the
> other hand not all vulnerabilities are so black and white -- often the
> risks are quite specific and won't necessarily affect everyone who might
> use the package. Some of those users might even be able to find a fix
> if they know where the vulnerability is documented.
In this particular case, the vulnerability was added to the
vulnerabilities file (see security/audit-packages).
In general, I'm not opposed to marking packages as BROKEN, but if they
stay BROKEN for too long, I am for removing them completely since
there obviously is not enough interest in keeping them around.
Thomas Klausner - firstname.lastname@example.org
Intolerance is the last defense of the insecure.