Ing.,BcA. Ivan Dolezal wrote:
> But my question was different: what mechanism is behind gathering 
> information for "vulnerabilities" text file? How many people care of it? 
> On what basis? Are they paid by NetBSD Foundation? Or Wassabi Systems? 
> Or is it just a chaotic mess?

I don't think anyone is actively searching for new vulnerabilities.
I believe the file is merely updated whenever anyone of NetBSD developers
learns about new vulnerability which affects something in pkgsrc.

Seems like the most active people updating pkg-vulnerabilities are
Itojun, Matthias Scheler; less David Maxwell, Manuel Bouyer, Thomas
Klausner; also Jim Wise, Johnny C. Lam, Alistair G. Crooks, Bill
Sommerfeld.

> Also: if a package stays calmly in pkgsrc collection for a suspiciously 
> long time (this is obviously more an issue of security software, 
> firewalls than let's say a TeX), does anybody care if it shouldn't be 
> removed - becuase the package maintainer doesn't care anymore - rather 
> than making people think they are safe?

I don't think such policy is desirable. Why remove perfectly well working
software?
 
Jaromir
-- 
Jaromir Dolecek <jdolecek@NetBSD.org> http://www.NetBSD.org/Ports/i386/ps2.html
-=- We should be mindful of the potential goal, but as the tantric    -=-
-=- Buddhist masters say, ``You may notice during meditation that you -=-
-=- sometimes levitate or glow.   Do not let this distract you.''     -=-