Date: Sat, 7 Jun 2025 21:32:33 -0400 From: Adam Weinberger <adamw@adamw.org> To: =?UTF-8?Q?Einar_Bjarni_Halld=C3=B3rsson?= <einar@isnic.is> Cc: freebsd-go@freebsd.org Subject: Re: Dependency versions Message-ID: <CAP7rwcjWsQXSfRWPvKAZEKDose=pj%2BK%2BS9RkLEbZApjRPPEbsw@mail.gmail.com> In-Reply-To: <FC284210-A543-4721-93C9-297709958574@isnic.is>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On Sat, Jun 7, 2025 at 4:27 PM Einar Bjarni Halldórsson <einar@isnic.is> wrote: > Hi, > > I’m the maintainer of mail/mailslurper port. > I’m working on updating the port now, and I ran govulncheck on the > work source as part of that. > > govulncheck found 4 vulnerabilities in 3 modules. The upstream release > is from 2023 (I know… I missed it…). > My question is, should I update the modules in the port, report it to > upstream > and wait for upstream to update go.mod or both? Is it kosher for a port > to update dependencies out-of-sync with upstream? > > .einar > Tons of our ports modify code for more than just compatibility. We can do whatever we need to do to be confident in the ports we provide our users, and I've changed dependencies around before. We do put a lot of stock into helping our users lower their attack surface, so you're considering this for a good reason. Upstreaming is really important in a case like that--not just because it helps everyone, but also because (if they're still active) upstream can tell you whether they avoided upgrading certain dependencies for a particular reason. Some authors minimize churn and recompilation by only adopting security updates that touch the specific function(s) they use. If you believe that the users of mailslurper may be at risk of a serious security breach, or if you have evidence that upstream has abandoned the software, then there's nothing wrong with updating our repo before waiting for a response. The other caveat is that if you break it, you buy it :) (you'll have us to help, of course). -- Adam Weinberger adamw@adamw.org [-- Attachment #2 --] <div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-family:arial,sans-serif">On Sat, Jun 7, 2025 at 4:27 PM Einar Bjarni Halldórsson <<a href="mailto:einar@isnic.is">einar@isnic.is</a>> wrote:</div></div><div class="gmail_quote gmail_quote_container"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi,<br> <br> I’m the maintainer of mail/mailslurper port.<br> I’m working on updating the port now, and I ran govulncheck on the<br> work source as part of that.<br> <br> govulncheck found 4 vulnerabilities in 3 modules. The upstream release<br> is from 2023 (I know… I missed it…).<br> My question is, should I update the modules in the port, report it to upstream<br> and wait for upstream to update go.mod or both? Is it kosher for a port<br> to update dependencies out-of-sync with upstream?<br> <br> .einar<br> </blockquote></div><div><br></div><div><div style="font-family:arial,sans-serif" class="gmail_default">Tons of our ports modify code for more than just compatibility. We can do whatever we need to do to be confident in the ports we provide our users, and I've changed dependencies around before. We do put a lot of stock into helping our users lower their attack surface, so you're considering this for a good reason.</div><div style="font-family:arial,sans-serif" class="gmail_default"><br></div><div style="font-family:arial,sans-serif" class="gmail_default">Upstreaming is really important in a case like that--not just because it helps everyone, but also because (if they're still active) upstream can tell you whether they avoided upgrading certain dependencies for a particular reason. Some authors minimize churn and recompilation by only adopting security updates that touch the specific function(s) they use. If you believe that the users of mailslurper may be at risk of a serious security breach, or if you have evidence that upstream has abandoned the software, then there's nothing wrong with updating our repo before waiting for a response.</div><div style="font-family:arial,sans-serif" class="gmail_default"><br></div><div style="font-family:arial,sans-serif" class="gmail_default">The other caveat is that if you break it, you buy it :) (you'll have us to help, of course).</div></div><br><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div>Adam Weinberger</div><div><a href="mailto:adamw@adamw.org" target="_blank">adamw@adamw.org</a></div></div></div></div></div></div>help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAP7rwcjWsQXSfRWPvKAZEKDose=pj%2BK%2BS9RkLEbZApjRPPEbsw>