Date: Fri, 19 Nov 2021 17:07:28 -0800 From: Maxim Sobolev <sobomax@freebsd.org> To: Mel Pilgrim <list_freebsd@bluerosetech.com> Cc: Eugene Grosbein <eugen@grosbein.net>, Rene Ladan <rene@freebsd.org>, ports@freebsd.org, portmgr@freebsd.org, python@freebsd.org Subject: Re: Bringing back lang/python27 with few modules? Message-ID: <CAH7qZfsmKvXecKbbNaXho_K1ajVM0S7pLYH3Ju04foLrYc-bfA@mail.gmail.com> In-Reply-To: <09b3a479-5aca-7524-bcee-f03754fefd7c@bluerosetech.com> References: <CAH7qZfvBQ0gKEdOn7nTuzAbMOG9LM2DVGyUs9b9PGwNgJTDCAw@mail.gmail.com> <CAH7qZfu32O8G2bDboOu4oXJTnofu_73OkU5aNodB7k%2B7xh%2B3UA@mail.gmail.com> <YZTWdBIF7MhjLqqC@freefall.freebsd.org> <eb522655-e199-62f2-1a02-b0ae16143421@grosbein.net> <09b3a479-5aca-7524-bcee-f03754fefd7c@bluerosetech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--0000000000008a4a5805d12e04da Content-Type: text/plain; charset="UTF-8" Well with regards to a language port, "vulnerability" has somewhat dubious applicability. For sure there are many ways to write an insecure C program allowed by the language itself. Shall we consider all C compilers inheretedly bad based on just that? Bottom line is that having well supported python 2 tools and environment remains quite useful thing to have for a lot of FreeBSD users out there. And this need is unlikely to go away in the next 2-3 years to come. -Max On Fri., Nov. 19, 2021, 2:41 p.m. Mel Pilgrim, < list_freebsd@bluerosetech.com> wrote: > On 2021-11-18 0:43, Eugene Grosbein wrote: > > 17.11.2021 17:16, Rene Ladan wrote: > >> On Wed, Nov 17, 2021 at 12:37:07AM -0800, Maxim Sobolev wrote: > >>> P.S. AFAIK our documented criteria for removing a port is when one of > the > >>> following is true: > >>> o Port lacks maintaintership; > >>> o Port has issues building on supported releases; > >>> o Port clearly has no users/use; > >>> o Port has some serious security issues. > >>> > >>> The lang/python27 did not belong to either of those bins, IMHO. > >> > >> "Unmaintained upstream" is also a criterion, and Python 2.7 fits there. > > > > This is bad criterion for open source software and should not be > considered without other reasons > > like "unfetchable" or "has known critical vulnerabilities". > > It very likely has known critical vulnerabilities. For example, > CVE-2021-3177 is a potential RCE bug in Python 3.x. It was officially > fixed upstream, and the backported fix is found in Python 2.7 LTS > contracts. > > --0000000000008a4a5805d12e04da--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAH7qZfsmKvXecKbbNaXho_K1ajVM0S7pLYH3Ju04foLrYc-bfA>