From owner-freebsd-ports@FreeBSD.ORG  Tue Aug 30 06:25:42 2011
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: freebsd-ports@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id DDFC0106566B;
	Tue, 30 Aug 2011 06:25:42 +0000 (UTC)
	(envelope-from linimon@lonesome.com)
Received: from mail.soaustin.net (pancho.soaustin.net [76.74.250.40])
	by mx1.freebsd.org (Postfix) with ESMTP id BC6778FC0A;
	Tue, 30 Aug 2011 06:25:41 +0000 (UTC)
Received: by mail.soaustin.net (Postfix, from userid 502)
	id 499155615E; Tue, 30 Aug 2011 01:25:41 -0500 (CDT)
Date: Tue, 30 Aug 2011 01:25:41 -0500
From: Mark Linimon <linimon@lonesome.com>
To: Doug Barton <dougb@FreeBSD.org>
Message-ID: <20110830062541.GA5538@lonesome.com>
References: <4E5C79AF.6000408@FreeBSD.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4E5C79AF.6000408@FreeBSD.org>
User-Agent: Mutt/1.5.20 (2009-06-14)
Cc: secteam@FreeBSD.org,
	"freebsd-ports@FreeBSD.org" <freebsd-ports@FreeBSD.org>
Subject: Re: Why do we not mark vulnerable ports DEPRECATED?
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Aug 2011 06:25:42 -0000

On Mon, Aug 29, 2011 at 10:48:31PM -0700, Doug Barton wrote:
> Can someone explain why this would be a bad idea?

Very early in my committer career, I marked a port BROKEN that kde
depended on.  I was quickly chastisted by people trying to install kde :-)

So, the right answer may be "it depends".  For unmaintained leaf or
leaf-ish ports like you're talking about, I think the answer is exactly
correct -- such ports do nothing but cause users problems.  But I think
it would be counterproductive to mark e.g. php5 and firefox as such
whenever a new vulnerability is found.  It's just simply too common* an
occurrence.

A different but related topic: I don't think we've been sufficiently
rigorous about marking DEPRECATED or BROKEN ports with EXPIRATION_DATEs.
That could be a Junior Committer Task.  (I know that Pav has swept some
out in the past.)

mcl

* never mind that some secteam members will grumble that they should be
marked as permanentlky insecure anyways