Subject: binary packages with vulnerabilities removed from ftp - a bad idea?
To: None <>
From: Geert Hendrickx <>
List: tech-pkg
Date: 01/29/2005 15:07:38

when a vulnerability is discovered in a package, the according binary
package(s) are removed from NetBSD's ftp-mirrors.  While the reason is
obvious (we don't want vulnerable packages), I don't think this is a
good idea.  It can make it pretty difficult to use binary packages.
Some people want to setup their machines quickly: install NetBSD,
pkg_add this, pkg_add that, and get their work done.  Recompiling
vulnerable packages can be done later then, once the machine is set up
and running.  It can also be very frustrating to new users to find out
that "pkg_add kde" doesn't work, because one or more of its dependencies
are missing.  They will blame NetBSD for not being able to install and
run $FAVOURITE_PROGRAM --while it perfectly can-- and switch (back) to
FreeBSD or Linux.  

Of course I don't want to encourage the use of vulnerable, outdated
packages, but I think that, when NetBSD and pkgsrc offer a (great!)
framework for source and binary packages, it should *work*.  New users
should then only be taught to invoke audit-packages after a pkg_add, or
even better: pkg_add should invoke audit-packages automatically.  

Alternative opinions and replies are welcome,