Subject: Re: binary packages with vulnerabilities removed from ftp - a bad idea?
To: Matthias Buelow <mkb@incubus.de>
From: Manuel Bouyer <bouyer@antioche.eu.org>
List: tech-pkg
Date: 01/30/2005 13:18:30
On Sun, Jan 30, 2005 at 05:11:36AM +0100, Matthias Buelow wrote:
> maybe move the problematic package files into a seperate, distinctive
> directory reserved for packages with security bugs, and have the pkg_add
> mechanism issue a comprehensible warning about that, including that they
> have been relocated, and why that has been done so (a standard message
> would probably suffice here). then the user can manually add these
> problematic packages from that directory, if he wants to.
I've been thinking about this for some time too. Another issue that
happens from time to time is that a package is marked vulnerable by
mistake (the most common being a vulnerability in version x and later,
but pkg-vulnerabilities has an entry <=x), so binary packages are
removed by mistake, and are lost.
--
Manuel Bouyer <bouyer@antioche.eu.org>
NetBSD: 26 ans d'experience feront toujours la difference
--