Subject: Re: binary packages with vulnerabilities removed from ftp - a bad
To: Geert Hendrickx <firstname.lastname@example.org>
From: Matthias Buelow <email@example.com>
Date: 01/30/2005 05:11:36
Geert Hendrickx wrote:
> Of course I don't want to encourage the use of vulnerable, outdated
> packages, but I think that, when NetBSD and pkgsrc offer a (great!)
> framework for source and binary packages, it should *work*. New users
> should then only be taught to invoke audit-packages after a pkg_add, or
> even better: pkg_add should invoke audit-packages automatically.
maybe move the problematic package files into a seperate, distinctive
directory reserved for packages with security bugs, and have the pkg_add
mechanism issue a comprehensible warning about that, including that they
have been relocated, and why that has been done so (a standard message
would probably suffice here). then the user can manually add these
problematic packages from that directory, if he wants to.