So far I understand from the message with which pkgsrc stopped
building the guide - included at the bottom of this posting - pkgsrc
says "You know openssl is vulnerable but I need it to build the guide,
so set ALLOW_VULNERABLE_PACKAGES, please".

Is this the right interpretation of the error message?
Why does pkgsrc just not download the not vulnerable version of
openssl - I downloaded the fresh vulnerability list ca. two hours
before this build -?





The error message:

gmake[2]: Leaving directory `/usr/pkgsrc/devel/boehm-gc/work/gc-7.0'
gmake[1]: Leaving directory `/usr/pkgsrc/devel/boehm-gc/work/gc-7.0'
/usr/ucb/install -c -o root -g root -m 444
/usr/pkgsrc/devel/boehm-gc/work/gc-7.0/doc/gc.man
/usr/pkg/man/man3/gc.3
=> Automatic manual page handling
=> Registering installation for boehm-gc-7.0
===> Building binary package for boehm-gc-7.0
Creating package /usr/pkgsrc/packages/All/boehm-gc-7.0
Using SrcDir value of /usr/pkg
=> Returning to build of w3m-0.5.2
=> Full dependency gettext-lib>=0.14.5: gettext-lib-0.14.6 found
=> Full dependency openssl>=0.9.7inb1: NOT found
=> Verifying package for ../../security/openssl
=> Bootstrap dependency digest>=20010302: digest-20070803 found
===> Checking for vulnerabilities in openssl-0.9.7inb4
Package openssl-0.9.7inb4 has a arbitrary-code-execution
vulnerability, see http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5135
ERROR: Define ALLOW_VULNERABLE_PACKAGES in mk.conf or IGNORE_URLS in
audit-packages.conf(5) if this package is absolutely essential.
*** Error code 255

Stop.
bmake: stopped in /usr/pkgsrc/security/openssl
*** Error code 1

Stop.
bmake: stopped in /usr/pkgsrc/www/w3m
*** Error code 1

Stop.
bmake: stopped in /usr/pkgsrc/doc/guide