Date: Tue, 30 Aug 2011 00:56:48 -0500 From: Ade Lovett <ade@FreeBSD.org> To: Doug Barton <dougb@FreeBSD.org> Cc: secteam@FreeBSD.org, "freebsd-ports@FreeBSD.org" <freebsd-ports@FreeBSD.org> Subject: Re: Why do we not mark vulnerable ports DEPRECATED? Message-ID: <20110830005648.4fdcf144@lab.lovett.com> In-Reply-To: <4E5C79AF.6000408@FreeBSD.org> References: <4E5C79AF.6000408@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 29 Aug 2011 22:48:31 -0700 Doug Barton <dougb@FreeBSD.org> wrote: > I'm doing some updates and came across mail/postfix-policyd-spf which > relies on mail/libspf2-10. The latter had a vuxml entry added on > 2008-10-27. So my question is, why has mail/libspf2-10 been allowed to > remain in the tree vulnerable for almost 3 years? That's a little excessive, I agree. > Wouldn't it make more sense to mark vulnerable ports DEPRECATED > immediately with a short expiration? When they get fixed they get > un-deprecated. If they don't, they get removed. Can someone explain > why this would be a bad idea? Probably excessive on the other side, at least as far as the auto-deletion is concerned. We've had cases where libraries with a non-trivial number of upward dependencies have had issues - libpng springs to mind for some reason. Of course, things were fixed relatively promptly in that particular case so it's a little bit of a non-sequitor -- perhaps I'm focusing too much on "they get removed" being an automated process, which I think it would have need to be in order to be effective. -aDe > > > Doug >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110830005648.4fdcf144>