generalize the note about removed and vulnerably releases

chapter03/packages.xml

@@ -10,6 +10,21 @@
 
   <title>All Packages</title>
 
+  <note>
+    <para>Read the <ulink url='&secadv;'>security advisories</ulink>
+    before downloading packages to figure out if a newer version of any
+    package should be used to avoid security vulnerabilities.</para>
+
+    <para>The upstreams may remove old releases, especially when these
+    releases contain a security vulnerability.  If one URL below is not
+    reachable, you should read the security advisories first to figure out
+    if a newer version (with the vulnerability fixed) should be used.  If
+    not, try to download the removed package from a mirror.  Although it's
+	possible to download an old release from a mirror even if this release
+	has been removed because of a vulnerability, it's not recommended to
+	use a release known to be vulnerable for building your system.</para>
+  </note>
+
   <para>Download or otherwise obtain the following packages:</para>
 
   <variablelist role="materials">
@@ -173,15 +188,6 @@
         <para>Home page: <ulink url="&expat-home;"/></para>
         <para>Download: <ulink url="&expat-url;"/></para>
         <para>MD5 sum: <literal>&expat-md5;</literal></para>
-        <note>
-          <para>The upstream may remove tarballs of the specific releases of
-          <application>Expat</application> when these releases contain a
-          security vulnerability.  You should refer to
-          <ulink url='&lfs-root;lfs/advisories/'>LFS security advisories</ulink>
-          to figure out which version (with the vulnerability fixed) should
-          be used.  You may download the vulnerable version from a mirror,
-          but it's not recommended.</para>
-        </note>
       </listitem>
     </varlistentry>