Subject: Re: binary packages with vulnerabilities removed from ftp - a bad idea?
To: Jeremy C. Reed <email@example.com>
From: Geert Hendrickx <firstname.lastname@example.org>
Date: 02/04/2005 17:47:56
On Sat, Jan 29, 2005 at 09:51:07PM -0800, Jeremy C. Reed wrote:
> On Sat, 29 Jan 2005, Geert Hendrickx wrote:
> > when a vulnerability is discovered in a package, the according binary
> > package(s) are removed from NetBSD's ftp-mirrors. While the reason is
> > obvious (we don't want vulnerable packages), I don't think this is a
> > good idea. It can make it pretty difficult to use binary packages.
> Yes, this is an inconvenience.
> We should have a daily script that checks to see what packages are missing
> and complain to the pkgsrc developers list every day!
Yes, that would be good. But IMHO, it would be better if a package were
only removed when a new (fixed) one is uploaded. So that the binary
package repository is complete at all times.