Date: Tue, 30 Aug 2011 09:29:20 -0600 From: Chad Perrin <code@apotheon.net> To: "freebsd-ports@FreeBSD.org" <freebsd-ports@FreeBSD.org> Subject: Re: Why do we not mark vulnerable ports DEPRECATED? Message-ID: <20110830152920.GB69850@guilt.hydra> In-Reply-To: <4E5C79AF.6000408@FreeBSD.org> References: <4E5C79AF.6000408@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--Pd0ReVV5GZGQvF3a Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Aug 29, 2011 at 10:48:31PM -0700, Doug Barton wrote: > I'm doing some updates and came across mail/postfix-policyd-spf which > relies on mail/libspf2-10. The latter had a vuxml entry added on > 2008-10-27. So my question is, why has mail/libspf2-10 been allowed to > remain in the tree vulnerable for almost 3 years? >=20 > Wouldn't it make more sense to mark vulnerable ports DEPRECATED > immediately with a short expiration? When they get fixed they get > un-deprecated. If they don't, they get removed. Can someone explain why > this would be a bad idea? Might that not interfere with the process of getting a new maintainer for a popular port when its previous maintainer has been lax (or hit by a bus)? --=20 Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ] --Pd0ReVV5GZGQvF3a Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iEYEARECAAYFAk5dAdAACgkQ9mn/Pj01uKXUhwCfd97T/7PGcPPreozRhQTZaOrk iNwAoONQx/zcf3nZD7iweK1gNdG9E2CQ =mPm0 -----END PGP SIGNATURE----- --Pd0ReVV5GZGQvF3a--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110830152920.GB69850>