1) I object to an automatic removal process just because of a vulnerability entry. A number of vulnerabilities affect only some usages. Broad removal is way too heavy handed, and I fail to see how that is connected with the goal of making pkgsrc useful for pkgsrc users. pkgsrc lets people build and manage code, and there's a separate issue of deciding whether to use it. pkgsrc doesn't have a duty of care about vulnerabilities, and I think it's important not to take that on. 2) Some of those packages are in the category of "no one in their right mind should be using them". Proposing to delete those seems fine, but the justification is "no one cares or should care" and the vulnerability issue should be secondary. 3) Specific comments lmbench: I use this occasionally. The problem is limited to untrusted local users gaining the permissions of the user running lmbench. For many environments this is not a big deal. (IMHO, running a system with untrustworthy local users is unsound, regardless of known issues.) snort: This should stay, even if not fixed yet; it's lame for us not to have it. Needs update to 2.9.0.4. It looks pretty easy and I'll give it a try. gdb: this is to provide gdb for platforms other than NetBSD, which don't already have it native? It seems like there's little call for this and thus ok to remove, but perhaps most of the rest of the packages not marked [will not remove]
Attachment:
pgpDCohGcNI6n.pgp
Description: PGP signature