On 31/01/2020 07:49, yarl-baudig%mailoo.org@localhost wrote:
Please Maya and Mr Billquist, can you be more specific about how it is insecure? To all: Is someone working on it and what is ongoing to improve this?
I feel this thread belongs to pkgsrc-users@ or even better tech-pkg@ and I'm not the OP, but here's my thoughts: binary packages are bulk-built from pkgsrc. pkgsrc is not strictly part of the operating system base but are external applications. Making a rough and totally uneducated comparison between NetBSD and, say, OpenBSD, the former is more focused on usability and making sure the system doesn't break, while the latter is totally focused on security, to the point of mutilating crucial parts of the OS, if that doesn't fit its self-imposed standards (I'm over simplifying).
I believe there's an internal pkgsrc security mailing list to which users have no access (I could be wrong), so I don't really know how this auditing really works.
One can always "pkg_admin fetch-pkg-vulnerabilities && pkg_admin audit". -- Ottavio Caruso