From owner-freebsd-security@freebsd.org  Tue Aug 30 10:22:48 2016
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 033B8B78C78
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Tue, 30 Aug 2016 10:22:48 +0000 (UTC) (envelope-from des@des.no)
Received: from smtp.des.no (smtp.des.no [194.63.250.102])
 by mx1.freebsd.org (Postfix) with ESMTP id C0D43304;
 Tue, 30 Aug 2016 10:22:47 +0000 (UTC) (envelope-from des@des.no)
Received: from desk.des.no (smtp.des.no [194.63.250.102])
 by smtp.des.no (Postfix) with ESMTP id 659FA5623;
 Tue, 30 Aug 2016 10:22:46 +0000 (UTC)
Received: by desk.des.no (Postfix, from userid 1001)
 id 7BFDE2B09; Tue, 30 Aug 2016 12:20:59 +0200 (CEST)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: Kubilay Kocak <koobs@FreeBSD.org>
Cc: Weldon Godfrey <weldon@excelsusphoto.com>,  freebsd-security@freebsd.org
Subject: Re: Ports EOL vuxml entry
References: <80eda92991512e9c50915536e7793396@excelsusphoto.com>
 <8a222379-442d-b77d-e96d-27a556f798df@FreeBSD.org>
Date: Tue, 30 Aug 2016 12:20:59 +0200
In-Reply-To: <8a222379-442d-b77d-e96d-27a556f798df@FreeBSD.org> (Kubilay
 Kocak's message of "Wed, 24 Aug 2016 01:02:42 +1000")
Message-ID: <8660qitv5g.fsf@desk.des.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Aug 2016 10:22:48 -0000

Kubilay Kocak <koobs@FreeBSD.org> writes:
> This (good) argument sounds primarily about classification and/or the
> ability or lack thereof to distinguish between types-of-things, which
> are not identical:
>
> * Explicit vulnerability ("Active", Official record (CVE, etc), will or
> likely/expected to be fixed)
> * Implicit (probable) vulnerability (by way of EoL, no fixes/support,
> may have CVE (forever), port/pkg deleted, etc)

In theory, these are not identical.  In practice, there is no way to
tell the difference given the sources and resources we have.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no