Jonathan Schleifer <js-pkgsrc%webkeks.org@localhost> writes: > asterisk18 has more than 2 security problems for several months > now. For all of them, patches were released, yet none was incorporated > into NetBSD. In the meantime, the number of security problems > increased, yet no update to pkgsrc at all. Currently, it has 5 > security issues - patches exist for all of them. > > So, I suggest to either maintain it again or remove the package, as a > package that insecure that is not even maintained is just not helping > at all. > > PS: Yes, I am using it. Yes, I'm still suggesting to remove it if it > is not being maintained. Generally, my opinion is to assess whether having the package removed is in the best interest of pkgsrc users, keeping in mind finite effort on the part of pkgsrc maintainers. Removing pacakges makes it harder to update them later, while leaving a package at a slightly old revision with known vulnerabilities causes almost no problems. And, removal makes it harder for a user to choose to use the package anyway. You say that you're using it, but that it's "just not helping at all". That seems inconsistent. In this case, it seems jnemeth@ has updated to a newer upstream release a few hours ago.
Attachment:
pgpinJr5vcPfy.pgp
Description: PGP signature