From owner-svn-ports-head@FreeBSD.ORG Wed Apr 9 07:59:42 2014 Return-Path: Delivered-To: svn-ports-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C385F763; Wed, 9 Apr 2014 07:59:42 +0000 (UTC) Received: from mail-wi0-x22a.google.com (mail-wi0-x22a.google.com [IPv6:2a00:1450:400c:c05::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BA3441288; Wed, 9 Apr 2014 07:59:41 +0000 (UTC) Received: by mail-wi0-f170.google.com with SMTP id bs8so9075654wib.3 for ; Wed, 09 Apr 2014 00:59:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=T0XMboqYJ/AAO0P48mjyznIJF969U+f2hzEICJHJjFk=; b=tuExOJDl6W/3jKB3WkZRfm0Dhbbzr2d9rI2bmy1Js/TG7hE2xoUWtV1EFcbkd0Sxgz on1BHbOiAq0SP7heGhP0OF+11gXnz9Niht4cdPyF6chFYE8CybMWnqnCOODT4JZ/ZeYP noY+AJgVqzSeTQPXgwDnL8XUXf3j+Js1cSXAY1gVXeKJNa01YvChhVV7TDoipSzKcb2S AYwCUmYve3iDzTwJsz5IfqOivRNplQEUwUSyVdsZp66d/tFNh04sYqQnmVtSYurLTEl+ qTWz/z/1G/mToIsos9Qc0bf/A+tD7r9ynL3W9dGjt+k23iZcb+CDTlH9/zTGQ31Lo2f7 kKLQ== X-Received: by 10.180.39.175 with SMTP id q15mr35964661wik.4.1397030379948; Wed, 09 Apr 2014 00:59:39 -0700 (PDT) Received: from ivaldir.etoilebsd.net ([2001:41d0:8:db4c::1]) by mx.google.com with ESMTPSA id cw2sm374236wjb.39.2014.04.09.00.59.37 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 09 Apr 2014 00:59:38 -0700 (PDT) Sender: Baptiste Daroussin Date: Wed, 9 Apr 2014 09:59:36 +0200 From: Baptiste Daroussin To: Alexey Dokuchaev Subject: Re: svn commit: r350627 - in head/multimedia/xmms: . files Message-ID: <20140409075935.GP97416@ivaldir.etoilebsd.net> References: <201404081535.s38FZIwG078361@svn.freebsd.org> <20140409073738.GA27075@FreeBSD.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="2uzDqHpccQJpqF2n" Content-Disposition: inline In-Reply-To: <20140409073738.GA27075@FreeBSD.org> User-Agent: Mutt/1.5.23 (2014-03-12) Cc: Christian Weisgerber , svn-ports-head@freebsd.org, svn-ports-all@freebsd.org, ports-committers@freebsd.org X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Apr 2014 07:59:42 -0000 --2uzDqHpccQJpqF2n Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Apr 09, 2014 at 07:37:38AM +0000, Alexey Dokuchaev wrote: > On Tue, Apr 08, 2014 at 03:35:18PM +0000, Christian Weisgerber wrote: > > New Revision: 350627 > > URL: http://svnweb.freebsd.org/changeset/ports/350627 > > QAT: https://qat.redports.org/buildarchive/r350627/ > >=20 > > @@ -16,13 +16,10 @@ COMMENT?=3D X Multimedia System -- An audi > > LICENSE=3D GPLv2 > > =20 > > DEPRECATED=3D Abandonware, please consider using multimedia/audacious = instead > > -FORBIDDEN=3D Vulnerable: CVE-2007-0653 CVE-2007-0654 > > -EXPIRATION_DATE=3D 2014-05-01 >=20 > Thanks Christian for keeping XMMS alive. This is also a nice example of > the fact that DEPRECATED port doesn't necessarily have to go away. It's > just, hmm, deprecated -- that is, for people who know what they're doing. >=20 > ./danfe >=20 xmms is a very good example of why keeping without real maintainership port= s (I am not speaking of having a maintainer assigned) is a bad thing, xmms is not maintained it tends to work (perhaps who really use it in 2014?) it took me around 5s to find a vulnerability at the time but as noone is re= ally maintaining this port noone has figured it out for more than 2 years, and n= ow see how long it took for someone to be interested in fixing it. Sorry but I do prefer quality over quantity. I really feel like it is not serious at all to officially provides packages for that sake that they do b= uild. Problem with those ports is the following: - They are not really maintained by anyone, so they might have long standing security issues noone cares about. - Who really knows if the port is really working? - It is based one very ancient libraries gtk12 and friends which suffers the same non maintainance status (I'm pretty sure if I go through the depende= ncy tree I can find at least 1 or 2 very old security issues noone has cared = about over the years.) - It is clobberring the ports tree, while you are working on modernizing the ports tree there is lots and lots of pending work to allow for example packaging as a user, really cross building the ports tree, building with modern compilers, all those ports are giving us major pain, and there is = noone to help to clean them up. FYI I cannot count how many time I have spend (wasted) on abandonned ports = to be able to have bring cross building, packaging as a user etc We still have 5k packages not staged which are blockers for cross building = for examples or sub packages regards, Bapt --2uzDqHpccQJpqF2n Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlNE/ecACgkQ8kTtMUmk6ExVJACfQXT6OE2yQbulp19f9I84DxK2 xRsAnAlSHitrxSPV+ZKNVw8pwwlh3uJK =ACed -----END PGP SIGNATURE----- --2uzDqHpccQJpqF2n--