Subject: Re: binary packages with vulnerabilities removed from ftp - a bad idea?
To: Matthias Buelow <>
From: Manuel Bouyer <>
List: tech-pkg
Date: 01/30/2005 13:18:30
On Sun, Jan 30, 2005 at 05:11:36AM +0100, Matthias Buelow wrote:
> maybe move the problematic package files into a seperate, distinctive 
> directory reserved for packages with security bugs, and have the pkg_add 
> mechanism issue a comprehensible warning about that, including that they 
> have been relocated, and why that has been done so (a standard message 
> would probably suffice here).  then the user can manually add these 
> problematic packages from that directory, if he wants to.

I've been thinking about this for some time too. Another issue that
happens from time to time is that a package is marked vulnerable by
mistake (the most common being a vulnerability in version x and later,
but pkg-vulnerabilities has an entry <=x), so binary packages are
removed by mistake, and are lost.

Manuel Bouyer <>
     NetBSD: 26 ans d'experience feront toujours la difference