Subject: Re: binary packages with vulnerabilities removed from ftp - a bad idea?
To: Jeremy C. Reed <>
From: Geert Hendrickx <>
List: tech-pkg
Date: 02/04/2005 17:47:56
On Sat, Jan 29, 2005 at 09:51:07PM -0800, Jeremy C. Reed wrote:
> On Sat, 29 Jan 2005, Geert Hendrickx wrote:
> >
> > when a vulnerability is discovered in a package, the according binary
> > package(s) are removed from NetBSD's ftp-mirrors.  While the reason is
> > obvious (we don't want vulnerable packages), I don't think this is a
> > good idea.  It can make it pretty difficult to use binary packages.
> Yes, this is an inconvenience.
> We should have a daily script that checks to see what packages are missing
> and complain to the pkgsrc developers list every day!

Yes, that would be good.  But IMHO, it would be better if a package were
only removed when a new (fixed) one is uploaded.  So that the binary
package repository is complete at all times.