pkgsrc-bugs: pkg/37426: Vulnerable packages not automatically noved to vulnerable/ on FTP?

Subject: pkg/37426: Vulnerable packages not automatically noved to vulnerable/ on FTP?
To: None <pkg-manager@netbsd.org, gnats-admin@netbsd.org,>
From: None <mmondor@pulsar-zone.net>
List: pkgsrc-bugs
Date: 11/24/2007 10:50:00

>Number:         37426
>Category:       pkg
>Synopsis:       Vulnerable packages not automatically noved to vulnerable/ on FTP?
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Sat Nov 24 10:50:00 +0000 2007
>Originator:     Matthew Mondor
>Release:        n/a
>Organization:
>Environment:
n/a
>Description:
ftp://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD-4.0/i386/All/cups-1.2.12.tgz  was not moved to the vulnerable/ section, yet pkg-audit caught:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4351

Is there a cron event in place to automatically move such packages out of the main tree?

It also might be nice in the future for pkg_add to support check of vulnerable packages like pkgsrc does, but this could be the subject of another PR or project.
>How-To-Repeat:

>Fix:
A script ran via a cron event might be a good solution