On Thursday, May 15, 2003, at 12:36 AM, Matt Zimmerman wrote: <snip>
Removing a package from the archive is not very useful as a securitymeasure. Most users who want the package will already have it installed,and it is those users who are most exposed. It's not unusual for avulnerability to exist for a long time before it is discovered, during whichtime a large number of users will have installed it.
So perhaps the replacement is a better way of doing it. Then the question is whether you replace it with a dummy empty one, or a essentially identical working one, except containing a very loud warning.
-- Chris