Subject: Re: Handling of security reports for bootstrapped pkgsrc tools on
To: David H.Gutteridge <email@example.com>
From: John Klos <firstname.lastname@example.org>
Date: 01/10/2005 01:17:30
> I've a question about reporting security issues with pkgsrc tools that
> are installed on non-NetBSD systems via the bootstrap package. Since
> they're not actually recorded as packages (except for digest), they
> can't be audited by audit-packages. Consequently, if an issue arises,
> as one with tnftp has recently, how is communication of this fact
> handled? Perhaps this is the first time it's come up?
Good point. But is there ever an instance where audit-packages is used on
a system where pkgsrc tools are not? This seems to be a good candidate for
a special case for audit-packages to check the version of pkg_tools so
that insecurities can be reported (pkg_info -V, for instance). That'd just
need to be added to audit-packages.