(a) When audit-packages tells me that an installed package has a vulnerability, what actions do you recommend that I perform in reaction to that report? (Each package's web page states "If you have a vulnerable package installed on any machine, you are advised to remove the package immediately" - which is not terrifically helpful in practice!) (b) When I want to upgrade a particular package (for example because I need its new functionality), how do you recommend that I do this, bearing in mind that I have a lot of other software installed and in use on the system? These are very fair questions. They are difficult to answer for two reasons: When packages are updated in pkgsrc, sometimes the ABI changes. To be safe, this requires rebuilding all the depending packages. pkgsrc supports building from source and also installing binary packages. Getting the ABI dependencies right requires bumping the revision (nbN), given the current schemes. So, when updating pkgsrc from cvs, usually many packages will appear to need rebuilding. A number of buildlink3 files will specify newer required versions than are installed. Thus, using make update, one is led to a very large amount of rebuilding. Presumably this is what you are seeing. I deal with this in two ways: I almost exclusively use "make replace" rather than "make update". This is unsafe, but works often, and requires far fewer rebuilds. I use pkg_comp and pkg_chk to build all the package I need, and then pkg_delete all packages, clean out remaining cruft, and then add the newly built packages. As to "do you have to reinstall all packages every 3 months", I'm afraid the answer is yes, if you want to track a stable branch with security maintenance. But, with pkg_chk, and pkg_comp or binaries from ftp.netbsd.org, doing the update isn't so painful. -- Greg Troxel <gdt%ir.bbn.com@localhost>