Subject: Re: apache binary (sparc) for 1.4.2
To: Thomas Klausner <wiz@danbala.ifoer.tuwien.ac.at>
From: Toby Thain <toby@disegno.com.au>
List: tech-pkg
Date: 01/11/2001 14:31:40
Thomas Klausner wrote:
> 
> Mutt made me believe that Toby Thain wrote:
> > Has the apache binary been pulled from
> > ftp://ftp.netbsd.org/packages/1.4.2/sparc/www/ ??
> > :(
> 
> That's probably because I deleted all packages (dewey-)matching
> apache<1.3.14 because of a 'remote-user-access' mentioned in the
> vulnerabilities file, URL:
> http://httpd.apache.org/dist/CHANGES_1.3

I guessed this was the reason, I just wanted to check.

> 
> You'll either have to build it yourself, or ask someone with a
> sparc-1.4.2 to build one for you. (Sorry, I don't have one.)

I /do/ have one, but it's not convenient to go through the whole pkgsrc
rigmarole just for one package which was (formerly) a simple binary
install.  Some 1.4.2 users may not want the pkgsrc machinery around -
hence binary packages. I went back to 1.4.2 from 1.5 for this very
reason - the binaries aren't there for 1.5 and the source builds are
sometimes broken.

Is that policy (of yanking binaries with vulnerabilities) particularly
smart? Would it not be better just to record the vulnerability -
provisions are already in pkg for this - and let the user decide if they
want to install it?? For the application I have, the vulnerability is
completely unimportant. 

There are other arguments for NOT removing binaries based on discovered vulnerabilities:
1. Vulnerable source is still available from netbsd.org, apache.org etc.
and distribution media, without warning the installer
2. Vulnerable binaries are still available from apache.org etc. and
distribution media, without warning the installer
3. Undiscovered bugs/exploits exist in other binaries. To consistently
follow the same policy, surely any binary package is suspect?

If these arguments for leaving the old releases alone are not
sufficient, would it be better to rebuild a safer binary rather than
inconveniencing those who were expecting the old one?

regards
Toby