pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: [HEADSUP] Removing vulnerable packages



Thomas Klausner <wiz%NetBSD.org@localhost> writes:

> I think you misunderstood my intention.
> I selected packages which have security issues for over 15 months
> (probably much longer in some cases) _and_ which weren't update in the
> same timeframe. This is in my eyes a good indicator of packages in
> which noone is seriously interested and for which an upstream might
> not even exist any longer.
>
> There is no point in keeping such packages in pkgsrc, since we're not
> maintaining them.

OK, that makes sense, but the notion of "these packages are obviously
ancient and no one should be using them" did not come through to me in
your message.  It's the "vulnerable and not updated recently => presumed
should be removed" logic that I object to.  

>>   lmbench: I use this occasionally.  The problem is limited to untrusted
>>   local users gaining the permissions of the user running lmbench.  For
>>   many environments this is not a big deal.  (IMHO, running a system
>>   with untrustworthy local users is unsound, regardless of known
>>   issues.)
>> 
>>   snort: This should stay, even if not fixed yet; it's lame for us not
>>   to have it.  Needs update to 2.9.0.4.  It looks pretty easy and I'll
>>   give it a try.
>> 
>>   gdb: this is to provide gdb for platforms other than NetBSD, which
>>   don't already have it native?  It seems like there's little call for
>>   this and thus ok to remove, but perhaps 

I didn't mean to speak up for the gdb package.  I don't understand it's
purpose, as the in-tree gdb seems better for NetBSD.


>>   most of the rest of the packages not marked [will not remove]
>
> I'm not sure what you mean here.

I meant to concur with those needing to stay for various reasons.

Attachment: pgpmqmRu03k6p.pgp
Description: PGP signature



Home | Main Index | Thread Index | Old Index