Net(etc)BSD is right to have non-installation of vulnerable packages as the default. This can be overridden on a per-package basis, or generally. The information to evaluate the risk to a given system is there.
It's possible, and probably not too hard, to script automatic acceptance of packages with certain vulnerabilities and not others. If someone would set it up and make it available on a separate basis that'd be great. But it shouldn't be part of a BSD or its packages or ports system; just "well known" among the community.
As for blocking many of the potential attacks at a system interface level, I suppose it's possible for much of this; but that would be even more annoying, hard to implement and maintain, and less transparent. Often the reason for a particular application's problems would be in this layer, but near-impossible to find.
|