From nobody Thu Mar 14 22:59:14 2024 X-Original-To: ports@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TwjVx0PPhz5Dmj1 for ; Thu, 14 Mar 2024 22:59:21 +0000 (UTC) (envelope-from daniel.engberg.lists@pyret.net) Received: from smtp-bc0e.mail.infomaniak.ch (smtp-bc0e.mail.infomaniak.ch [IPv6:2001:1600:4:17::bc0e]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "relay.mail.infomaniak.ch", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TwjVw5WCRz550p for ; Thu, 14 Mar 2024 22:59:20 +0000 (UTC) (envelope-from daniel.engberg.lists@pyret.net) Authentication-Results: mx1.freebsd.org; none Received: from smtp-4-0000.mail.infomaniak.ch (unknown [10.7.10.107]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4TwjVq0MJszMqkNS; Thu, 14 Mar 2024 23:59:15 +0100 (CET) Received: from unknown by smtp-4-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4TwjVp4Nd0z54G; Thu, 14 Mar 2024 23:59:14 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=pyret.net; s=20231006; t=1710457154; bh=zz//RZxOidiD+q4/RJBYw6n3IwiLfaPZKkuTos9KRZI=; h=Date:Subject:From:Reply-To:To:Cc:References:In-Reply-To:From; b=ZMniSEWUdU9KmwYiwAL2Lr57Z2hVpHpdiMaJX949BWbmb36g1ZWkD5SAsDiRXB7/l jhLRx3w38MjpQceLekGCr+7PFG4QyysS0Z4jdgMs84ynjuGyYrayY1esymDFdDbabL 7AOYjMbcnka6iSLZ2lrXi2Z1NoPSRC413XGSeoHERWiqu+a+quz8G/hcw/s9VafER2 DwhfSOKh++s/iBLzbKV+KZ3VvD7XJFxRZp4KJzCq2K30Ee/Jy/5m7q5RQBui94Q0Su 5JEhk29fD3lEnnnYCHC8Q9MaE46/bo9Iv0+Tjq8uajBAWT1T9YhFzNTpwFmUSnwGBR XoHIIvJhRXKQg== Message-ID: <2cfb2038d956813eefb068a8f61e1970@mail.infomaniak.com> Date: Thu, 14 Mar 2024 23:59:14 +0100 Subject: Re: Proposed ports deprecation and removal policy From: Daniel Engberg Reply-To: Daniel Engberg To: Tomoaki AOKI Cc: Michael Gmelin , Eugene Grosbein , Florian Smeets , ports@freebsd.org List-Id: Porting software to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-ports List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-ports@freebsd.org X-BeenThere: freebsd-ports@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-WS-User-Origin: eyJpdiI6IkJBeVRWbERlZ05janUrUHJFQVp2bUE9PSIsInZhbHVlIjoidll3VHJCelhqMzd4dTRyMzRzT3Z0Zz09IiwibWFjIjoiMWM1NjRkOTEzMmNmYjQ1NjA2MjQzNWNhM2Q2ZTRlZmFjMzI5MmQ3OGExOWIxMzQwN2IzNzQ0YjMyNTVhZmNiYSIsInRhZyI6IiJ9 X-WS-User-Mbox: eyJpdiI6ImZvU3Y2TjJLTGg1QUZYSlhKWnNST0E9PSIsInZhbHVlIjoicE5zQy9wSjR2VGRidFJocVY1eUxCUT09IiwibWFjIjoiOWMwMGQ0OTdmYTE1MjlmNGQyOTc2MzFlOTE0YzQyYTVhMjdlZmZlYTY0MmU2MWI2MzA2NzgxYzE2Y2JlZWUwMCIsInRhZyI6IiJ9 X-WS-Location: eJxzKUpMKykGAAfpAmU- X-Mailer: Infomaniak Workspace (1.3.654) References: <7a7501f71442d27f6d8c1c0a16f247c1@mail.infomaniak.com> <7fd610fa25ffb9a4348aaadf7459a689@mail.infomaniak.com> <20240315072753.46ffa39e1bbb2e0996099cdf@dec.sakura.ne.jp> In-Reply-To: <20240315072753.46ffa39e1bbb2e0996099cdf@dec.sakura.ne.jp> X-Infomaniak-Routing: alpha X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:29222, ipnet:2001:1600::/32, country:CH] X-Rspamd-Queue-Id: 4TwjVw5WCRz550p On 2024-03-14T23:27:53.000+01:00, Tomoaki AOKI = wrote: > On Thu, 14 Mar 2024 22:17:39 +0100 > Daniel Engberg wrote: >=20 >=20 > > On 2024-03-14T21:49:46.000+01:00, Michael Gmelin wrote: > >=20 > > > =20 > > >=20 > > > > On 14. Mar 2024, at 21:38, Daniel Engberg wrote: > > > > =20 > > > > On 2024-03-12T15:15:49.000+01:00, Eugene Grosbein wrote: > > > > =20 > > > >=20 > > > > > 12.03.2024 3:24, Daniel Engberg =D0=BF=D0=B8=D1=88=D0= =B5=D1=82: > > > > > =20 > > > > > [skip] > > > > > =20 > > > > > =20 > > > > > =20 > > > > >=20 > > > > > > Another possible option would be to add something t= o the port's matedata that makes pkg aware and easy notiable > > > > > > like using a specific color for portname and related info= rmation to signal > > > > > > like if it's red it means abandonware and potentially red= uced security. > > > > > =20 > > > > > Of course, we need to inform users but not enforce. Tools, n= ot policy. > > > > > =20 > > > > Eugene > > > > =20 > > > > Hi, > > > > =20 > > > > Given that we seem to agree on these points in general why shou= ld such ports still be kept in the tree? We don't have such tooling availab= le and it wont likely happen anytime soon. Because it's convenient for a co= mmitter who uses these in a controlled network despite being potentially ha= rmful for others? > > > > =20 > > > > Just to be clear, I'm after where do we draw the line in genera= l. > > > > =20 > > > > If we look at other distros in general based on availability th= e decision seems to favour overall user security than "convenience". Given = that we have security policies etc in place I'd say that we in general are = leaning towards user security? > > > =20 > > > So your proposal is to only have ports in the tree that are safe to= run on unprotected public networks? > > > =20 > > -m > > =20 > > I'm asking if we should purposely support it despite the efforts of ke= eping users safe. > > =20 > > Best regards, > > Daniel > =20 > How about setting NO_PACKAGE [1] to force admins to build from ports > by themselves for such risky but too usful to delete ports? >=20 > You may also want to introduce something like LICENSE framework to > force interaction on build/install, but without something like > LICENSES_ACCEPTED+=3D variable to bypass it. >=20 >=20 > [1] > https://docs.freebsd.org/en/books/porters-handbook/special/#porting-restr= ictions >=20 >=20 > --=20 Tomoaki AOKI Hi, That may very well be an option possibly with some guidelines to prevent it= turning into a loophole for being a dumping ground. Since we've moved to = git perhaps another option might be to create a separate repo (possibly via= submodules) with less restricive polices and have that as an "add-on" for = the official tree without the ports team's and committers's involvement, a = bit like "you're on your own" approach? Best regards, Daniel