Date: Tue, 30 Aug 2011 11:25:48 +0200 From: Fabian Keil <freebsd-listen@fabiankeil.de> To: freebsd-ports@freebsd.org Subject: Re: Why do we not mark vulnerable ports DEPRECATED? Message-ID: <20110830112548.073ce249@fabiankeil.de> In-Reply-To: <4E5C79AF.6000408@FreeBSD.org> References: <4E5C79AF.6000408@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--Sig_/CQSSQ+Wl_7FiXH9rtAf/4re Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Doug Barton <dougb@FreeBSD.org> wrote: > I'm doing some updates and came across mail/postfix-policyd-spf which > relies on mail/libspf2-10. The latter had a vuxml entry added on > 2008-10-27. So my question is, why has mail/libspf2-10 been allowed to > remain in the tree vulnerable for almost 3 years? >=20 > Wouldn't it make more sense to mark vulnerable ports DEPRECATED > immediately with a short expiration? When they get fixed they get > un-deprecated. If they don't, they get removed. Can someone explain why > this would be a bad idea? Many vulnerabilities are only an issue for certain program configurations, for example most Firefox vulnerabilities seem to require JavaScript being enabled for a site or connection controlled by the attacker. I haven't checked what the problems with mail/libspf2-10 are (or were), but I don't think all vulnerabilities should be treated the same. In my opinion having a vuxml entry is sufficient, the rest is up to the user. I agree with Xin Li's suggestion that it may make sense to import portaudit to make sure the user is actually aware of the entry, though. Fabian --Sig_/CQSSQ+Wl_7FiXH9rtAf/4re Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk5crKMACgkQBYqIVf93VJ0MxwCfVGPLvX6UlrIV0IGbLDw4goiA OHIAoJIV3+8fr7M38a8qwN7yHOxl4+Do =hvDs -----END PGP SIGNATURE----- --Sig_/CQSSQ+Wl_7FiXH9rtAf/4re--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110830112548.073ce249>