Subject: Re: binary packages with vulnerabilities removed from ftp - a bad idea?
To: None <tech-pkg@netbsd.org>
From: Frederick Bruckman <fredb@immanent.net>
List: tech-pkg
Date: 01/30/2005 16:01:55
In article <Pine.LNX.4.43.0501292149240.15126-100000@pilchuck.reedmedia.net>,
	"Jeremy C. Reed" <reed@reedmedia.net> writes:
> On Sat, 29 Jan 2005, Geert Hendrickx wrote:
>>
>> when a vulnerability is discovered in a package, the according binary
>> package(s) are removed from NetBSD's ftp-mirrors.  While the reason is
>> obvious (we don't want vulnerable packages), I don't think this is a
>> good idea.  It can make it pretty difficult to use binary packages.
> 
> Yes, this is an inconvenience.
> 
> We should have a daily script that checks to see what packages are missing
> and complain to the pkgsrc developers list every day!

I believe this is possible, now that we have "@blddep".  The easiest
way to use it, would be to remove any packages whose "@blddep" required
packages are missing.  The folks charged with bulk builds could then
refresh the missing ones as they have time.  There might be casualties
that might have worked with the newer version of the requirement, but I
think it would be hard to check for that short of installing and running
the flagged packages.

There doesn't seem to be a way to coax "pkg_info" to give up the "@blddep"
information, is there?


Frederick