From owner-freebsd-ports@FreeBSD.ORG Wed Sep 7 00:16:08 2011 Return-Path: Delivered-To: ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F37E81065670; Wed, 7 Sep 2011 00:16:07 +0000 (UTC) (envelope-from perryh@pluto.rain.com) Received: from agora.rdrop.com (agora.rdrop.com [IPv6:2607:f678:1010::34]) by mx1.freebsd.org (Postfix) with ESMTP id B69968FC0C; Wed, 7 Sep 2011 00:16:07 +0000 (UTC) Received: from agora.rdrop.com (66@localhost [127.0.0.1]) by agora.rdrop.com (8.13.1/8.12.7) with ESMTP id p870G0Ga089744 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 6 Sep 2011 17:16:00 -0700 (PDT) (envelope-from perryh@pluto.rain.com) Received: (from uucp@localhost) by agora.rdrop.com (8.13.1/8.12.9/Submit) with UUCP id p870G0SU089743; Tue, 6 Sep 2011 17:16:00 -0700 (PDT) Received: from fbsd81 ([192.168.200.81]) by pluto.rain.com (4.1/SMI-4.1-pluto-M2060407) id AA26933; Tue, 6 Sep 11 17:07:14 PDT Date: Wed, 07 Sep 2011 00:07:03 -0700 From: perryh@pluto.rain.com To: dougb@freebsd.org Message-Id: <4e671817.ddHMkPbq9dJ7tLMz%perryh@pluto.rain.com> References: <201109050933.p859XEbP004874@fire.js.berklix.net> <4E64C35A.50004@FreeBSD.org> <4e65b42e.M5K+to11vAdk/UTk%perryh@pluto.rain.com> <4E6581E2.1060502@FreeBSD.org> In-Reply-To: <4E6581E2.1060502@FreeBSD.org> User-Agent: nail 11.25 7/29/05 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: ports@freebsd.org, jhs@berklix.com, utisoft@gmail.com Subject: Re: sysutils/cfs X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Sep 2011 00:16:08 -0000 Doug Barton wrote: > >>>>> Better to deprecate such non urgent ports, & wait a while > >>>>> after next release is rolled, to give release users a warning > >>>>> & some time to volunteer ... > >> > >> That's an interesting idea, but incredibly unlikely to happen. > > > > It _certainly_ won't happen if those in charge refuse to try it! > > My point was that the idea is impractical. I was trying to be polite. How is it impractical to, as a rule, set an expiration date based on an anticipated future release date rather than only a month or two out from when the decision is made? (Note that this is in no way exclusive with setting FORBIDDEN, and/or making an entry in the portaudit database, immediately upon discovering a vulnerability.) > > My *guess* is that "the largest percentage of our users" are what > > Julian calls "release users" -- those who install a release and > > corresponding ports, and don't touch it subsequently until they > > become aware of a problem. They _may_ follow the security branch > > for their base release, but that won't make them aware of issues > > that have turned up in ports. > > For security issues we have portaudit to handle this. Provided it is installed and activated. Perhaps it should be made into a part of the ports infrastructure, or even moved into the base, so as to be present on any machine having packages installed?