pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Update or remove asterisk18?



Jonathan Schleifer <js-pkgsrc%webkeks.org@localhost> writes:

> asterisk18 has more than 2 security problems for several months
> now. For all of them, patches were released, yet none was incorporated
> into NetBSD. In the meantime, the number of security problems
> increased, yet no update to pkgsrc at all. Currently, it has 5
> security issues - patches exist for all of them.
>
> So, I suggest to either maintain it again or remove the package, as a
> package that insecure that is not even maintained is just not helping
> at all.
>
> PS: Yes, I am using it. Yes, I'm still suggesting to remove it if it
> is not being maintained.

Generally, my opinion is to assess whether having the package removed is
in the best interest of pkgsrc users, keeping in mind finite effort on
the part of pkgsrc maintainers.  Removing pacakges makes it harder to
update them later, while leaving a package at a slightly old revision
with known vulnerabilities causes almost no problems.  And, removal
makes it harder for a user to choose to use the package anyway.

You say that you're using it, but that it's "just not helping at all".
That seems inconsistent.

In this case, it seems jnemeth@ has updated to a newer upstream release
a few hours ago.

Attachment: pgpinJr5vcPfy.pgp
Description: PGP signature



Home | Main Index | Thread Index | Old Index