tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: [HEADSUP] Removing vulnerable packages



1) I object to an automatic removal process just because of a
vulnerability entry.  A number of vulnerabilities affect only some
usages.

Broad removal is way too heavy handed, and I fail to see how that is
connected with the goal of making pkgsrc useful for pkgsrc users.
pkgsrc lets people build and manage code, and there's a separate issue
of deciding whether to use it.

pkgsrc doesn't have a duty of care about vulnerabilities, and I think
it's important not to take that on.

2) Some of those packages are in the category of "no one in their right
mind should be using them".  Proposing to delete those seems fine, but
the justification is "no one cares or should care" and the vulnerability
issue should be secondary.

3) Specific comments

  lmbench: I use this occasionally.  The problem is limited to untrusted
  local users gaining the permissions of the user running lmbench.  For
  many environments this is not a big deal.  (IMHO, running a system
  with untrustworthy local users is unsound, regardless of known
  issues.)

  snort: This should stay, even if not fixed yet; it's lame for us not
  to have it.  Needs update to 2.9.0.4.  It looks pretty easy and I'll
  give it a try.

  gdb: this is to provide gdb for platforms other than NetBSD, which
  don't already have it native?  It seems like there's little call for
  this and thus ok to remove, but perhaps 

  most of the rest of the packages not marked [will not remove]


Attachment: pgpwK_U8InURs.pgp
Description: PGP signature



Home | Main Index | Thread Index | Old Index