tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: [HEADSUP] Removing vulnerable packages



I think you misunderstood my intention.
I selected packages which have security issues for over 15 months
(probably much longer in some cases) _and_ which weren't update in the
same timeframe. This is in my eyes a good indicator of packages in
which noone is seriously interested and for which an upstream might
not even exist any longer.

There is no point in keeping such packages in pkgsrc, since we're not
maintaining them.

If someone is still using them, they have ample time to speak up, and
I'm not going to remove those packages, even if they stay unfixed.

On the other hand, I already fixed some of them...

>   lmbench: I use this occasionally.  The problem is limited to untrusted
>   local users gaining the permissions of the user running lmbench.  For
>   many environments this is not a big deal.  (IMHO, running a system
>   with untrustworthy local users is unsound, regardless of known
>   issues.)
> 
>   snort: This should stay, even if not fixed yet; it's lame for us not
>   to have it.  Needs update to 2.9.0.4.  It looks pretty easy and I'll
>   give it a try.
> 
>   gdb: this is to provide gdb for platforms other than NetBSD, which
>   don't already have it native?  It seems like there's little call for
>   this and thus ok to remove, but perhaps 

I'll leave these alone.

>   most of the rest of the packages not marked [will not remove]

I'm not sure what you mean here.
 Thomas


Home | Main Index | Thread Index | Old Index