Subject: Re: HEADS UP: change regarding vulnerable packages
To: Hubert Feyrer <>
From: Thomas Klausner <>
List: tech-pkg
Date: 05/07/2005 01:16:05
On Sat, May 07, 2005 at 12:18:39AM +0200, Hubert Feyrer wrote:
> I guess a policy about vulnerable packages should be documented near the 
> policy about packages in general. I guess the closest thing to such a 
> document would be somewhere in section 5 "Creating binary packages" of the 
> pkgsrc guide. Maybe add a new section 5.3.9 "Handling vulnerable 
> packages".

It doesn't seem the right place -- there is no documentation
in this direction there so far.

It is even missing documentation on not uploaded restricted
packages (or did I overlook it?). Could you please add that?
We really shouldn't be doing that...

> (It may be worth investigating to move "5.3 Doing a bulk build of all 
> packages" into the pkgsrc Developers' guide, e.g. as 11.4.)

Yes, and it should really recommend the sandbox method (i.e.
mention it first and only mention non-sandboxed builds as
alternate method if sandboxed ones are not possible for
a reason. pkg_comp could also be mentioned.)

> The pkgsrc or NetBSD guide? :) They may both need checking.

The pkgsrc guide. I'll take a look at the NetBSD guide later.

> Also, there are more places that mention the additional place:
>  * src/distrib/notes/common/postinstall

I looked at it. I don't want to complicate the instructions
there any more, they are, after all, only intended to be basic.

>  * src/usr.sbin/pkg_install/add/pkg_add.1 and any other places like
>    pkgsrc/bootstrap/... this manpage resides

pkgsrc/pkgtools/pkg_install, I updated both.