Hi!

From this week on, the policy has been changed so that vulnerable
packages are not removed from ftp.NetBSD.org any longer, but instead
moved to a different subdirectory.

So if you prefer having a complete binary package set available
and take the risk of having vulnerable packages installed, you can
add ..../vulnerable to your PKG_PATH (where .... is the same path leading
up to /All).
Example: if you are currently using
PKG_PATH=ftp://ftp.NetBSD.org/pub/NetBSD/packages/2.0/i386/All
you could switch to
PKG_PATH="ftp://ftp.NetBSD.org/pub/NetBSD/packages/2.0/i386/All;ftp://ftp.NetBSD.org/pub/NetBSD/packages/2.0/i386/vulnerable"

The quoting is necessary because the semicolon (';') is a shell
meta-character.

If you do this, you should really start using security/audit-packages,
and run it especially after installing new packages.

Cheers,
 Thomas

P.S.: It might be that currently available binary package sets
are incomplete from before this change, but I expect that at
least starting with the next stable branch, incomplete binary
package sets should be a problem of the past.