Geert Hendrickx wrote:

> Of course I don't want to encourage the use of vulnerable, outdated
> packages, but I think that, when NetBSD and pkgsrc offer a (great!)
> framework for source and binary packages, it should *work*.  New users
> should then only be taught to invoke audit-packages after a pkg_add, or
> even better: pkg_add should invoke audit-packages automatically.  

maybe move the problematic package files into a seperate, distinctive 
directory reserved for packages with security bugs, and have the pkg_add 
mechanism issue a comprehensible warning about that, including that they 
have been relocated, and why that has been done so (a standard message 
would probably suffice here).  then the user can manually add these 
problematic packages from that directory, if he wants to.