Subject: Re: Dante; what exactly are security mechanisms of pkgsrc?
To: Ing.,BcA. Ivan Dolezal <firstname.lastname@example.org>
From: Jaromir Dolecek <email@example.com>
Date: 07/12/2002 16:22:59
Ing.,BcA. Ivan Dolezal wrote:
> I don't really follow the sentence: "Note that we no longer issue
> advisories for thirdparty software packages (pkgsrc). Instead, an
> automated mechanism to audit installed binary package is provided in
> pkgsrc/security/audit-packages." I have no idea, what is behind "an
> automated mechanism".
It's automated in sense 'automatic check for vulnerabilities'.
It uses vulnerability list stored on ftp.netbsd.org. The list
is updated whenever new vulnerability is found. If there isn't entry
for your pkg, it means that NetBSD security team isn't aware of
any vulnerability for that pkg.
I believe the general policy for pkgsrc is that no active search
for known vulnerabilities or direct auditing is done. I believe
that pkgsrc is generally off limits and it's responsibility of
administator to make sure software they use doesn't have security
The vulnerability list on ftp.netbsd.org contains generally known
vulnerabilities, it may not contain recent vulnerabilities in some
more exotic software; it's merely (big) help, not definitive source.
Generally, there isn't particular reason to stick with older
version. If the pkgsrc entry isn't uptodate, send-pr a change-request
PR (preferably with patch) to get it updated :)
Jaromir Dolecek <jdolecek@NetBSD.org> http://www.NetBSD.org/Ports/i386/ps2.html
-=- We should be mindful of the potential goal, but as the tantric -=-
-=- Buddhist masters say, ``You may notice during meditation that you -=-
-=- sometimes levitate or glow. Do not let this distract you.'' -=-