On Tue, May 27, 2025 at 3:30 AM Jonathan Perkin via gnats <gnats-
admin%netbsd.org@localhost <mailto:gnats-admin%netbsd.org@localhost>> wrote:
>
> The following reply was made to PR pkg/59446; it has been noted by GNATS.
> ...
> * On 2025-05-27 at 09:50 BST, Kimmo Suominen via gnats wrote:
>
> > You cannot configure pkgin settings in /etc/mk.conf as it has its own
> > configuration files. I don't think pkgin has a corresponding setting,
> > though.
>
> It doesn't, and I have no plans to add one to it, not unless either
> pkg-vulnerabilities is overhauled to provide a scoring system, or the
> vulnerabilities it lists are taken seriously.
In the context of enabling pkgsrc's formal approval as enterprise-grade
package building software, I consider per-package CVE tracking via pkg-
vulnerabilities essential. This functionality is critical for security
accounting and oversight at any site using pkgsrc.