From owner-freebsd-ports@FreeBSD.ORG Mon Sep 5 19:07:07 2011 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from apollo.emma.line.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by hub.freebsd.org (Postfix) with ESMTP id A5687106567B for ; Mon, 5 Sep 2011 19:07:06 +0000 (UTC) (envelope-from mandree@FreeBSD.org) Received: from [127.0.0.1] (localhost.localdomain [127.0.0.1]) by apollo.emma.line.org (Postfix) with ESMTP id 69C6B23D34D for ; Mon, 5 Sep 2011 21:06:55 +0200 (CEST) Message-ID: <4E651DCF.30605@FreeBSD.org> Date: Mon, 05 Sep 2011 21:06:55 +0200 From: Matthias Andree User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.21) Gecko/20110831 Mnenhy/0.8.3 Thunderbird/3.1.13 MIME-Version: 1.0 To: freebsd-ports@freebsd.org References: <4E6503C2.5080002@aldan.algebra.com> <4E651518.8070700@aldan.algebra.com> In-Reply-To: <4E651518.8070700@aldan.algebra.com> X-Enigmail-Version: 1.1.2 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: sysutils/cfs X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Sep 2011 19:07:07 -0000 Am 05.09.2011 20:29, schrieb Mikhail T.: > On 05.09.2011 13:32, Chris Rees wrote: >> If it's not that hard to fix then do it. > Before doing it, I wanted to confirm, that there are no other, more > serious vulnerabilities. > > Things, for which no fixes have been posted -- unlike for this > particular one, which Debian fixed several years ago (before dropping it > for whatever reasons). > > Instead of confirming (or denying), you yelled at me. Ouch... I don't see yelling. Note that Chris isn't obliged to research things that you are interested in but he isn't -- that expectation of yours is over the top. He's not your research slave^Wstudent. The point is that Chris isn't interested in fixing dead ports with known bugs, and keeping known-broken ports in the tree is dangerous to our users no matter if it's locally or remotely exploitable. Typically ports with buffer overflow vulnerabilities have more issues than the discovered ones, and unless the port is _actively_ maintained it's better to remove it, lest users shout at us for letting them run into this knife without our telling them. So either Kostik, or you, or someone else steps up to maintain the port at least to the extent that the known security bugs and reported bugs get fixed, or to hell the port goes. If neither of you is to become the maintainer, EXPIRATION_DATE stands. Regarding Kostik's "damage to the project", keeping known broken ports around isn't fostering our reputation either. And, repeat message: once someone steps up to fix the issues, the port can be revived. It happens. Anyways, there are four weeks to fix the issues in the port.