Date: Tue, 30 Aug 2011 01:25:41 -0500 From: Mark Linimon <linimon@lonesome.com> To: Doug Barton <dougb@FreeBSD.org> Cc: secteam@FreeBSD.org, "freebsd-ports@FreeBSD.org" <freebsd-ports@FreeBSD.org> Subject: Re: Why do we not mark vulnerable ports DEPRECATED? Message-ID: <20110830062541.GA5538@lonesome.com> In-Reply-To: <4E5C79AF.6000408@FreeBSD.org> References: <4E5C79AF.6000408@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Aug 29, 2011 at 10:48:31PM -0700, Doug Barton wrote: > Can someone explain why this would be a bad idea? Very early in my committer career, I marked a port BROKEN that kde depended on. I was quickly chastisted by people trying to install kde :-) So, the right answer may be "it depends". For unmaintained leaf or leaf-ish ports like you're talking about, I think the answer is exactly correct -- such ports do nothing but cause users problems. But I think it would be counterproductive to mark e.g. php5 and firefox as such whenever a new vulnerability is found. It's just simply too common* an occurrence. A different but related topic: I don't think we've been sufficiently rigorous about marking DEPRECATED or BROKEN ports with EXPIRATION_DATEs. That could be a Junior Committer Task. (I know that Pav has swept some out in the past.) mcl * never mind that some secteam members will grumble that they should be marked as permanentlky insecure anyways
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110830062541.GA5538>