Subject: Re: Dante; what exactly are security mechanisms of pkgsrc?
To: Ing.,BcA. Ivan Dolezal <firstname.lastname@example.org>
From: Jaromir Dolecek <email@example.com>
Date: 07/12/2002 16:44:43
Ing.,BcA. Ivan Dolezal wrote:
> But my question was different: what mechanism is behind gathering
> information for "vulnerabilities" text file? How many people care of it?
> On what basis? Are they paid by NetBSD Foundation? Or Wassabi Systems?
> Or is it just a chaotic mess?
I don't think anyone is actively searching for new vulnerabilities.
I believe the file is merely updated whenever anyone of NetBSD developers
learns about new vulnerability which affects something in pkgsrc.
Seems like the most active people updating pkg-vulnerabilities are
Itojun, Matthias Scheler; less David Maxwell, Manuel Bouyer, Thomas
Klausner; also Jim Wise, Johnny C. Lam, Alistair G. Crooks, Bill
> Also: if a package stays calmly in pkgsrc collection for a suspiciously
> long time (this is obviously more an issue of security software,
> firewalls than let's say a TeX), does anybody care if it shouldn't be
> removed - becuase the package maintainer doesn't care anymore - rather
> than making people think they are safe?
I don't think such policy is desirable. Why remove perfectly well working
Jaromir Dolecek <jdolecek@NetBSD.org> http://www.NetBSD.org/Ports/i386/ps2.html
-=- We should be mindful of the potential goal, but as the tantric -=-
-=- Buddhist masters say, ``You may notice during meditation that you -=-
-=- sometimes levitate or glow. Do not let this distract you.'' -=-