Subject: Re: Handling of security reports for bootstrapped pkgsrc tools on
To: David H.Gutteridge <>
From: John Klos <>
List: tech-pkg
Date: 01/10/2005 01:17:30
> I've a question about reporting security issues with pkgsrc tools that 
> are installed on non-NetBSD systems via the bootstrap package. Since 
> they're not actually recorded as packages (except for digest), they 
> can't be audited by audit-packages.  Consequently, if an issue arises, 
> as one with tnftp has recently, how is communication of this fact 
> handled? Perhaps this is the first time it's come up?

Good point. But is there ever an instance where audit-packages is used on 
a system where pkgsrc tools are not? This seems to be a good candidate for 
a special case for audit-packages to check the version of pkg_tools so 
that insecurities can be reported (pkg_info -V, for instance). That'd just 
need to be added to audit-packages.

John Klos