From owner-freebsd-ports@FreeBSD.ORG Mon Sep 5 09:33:54 2011 Return-Path: Delivered-To: ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 914DA1065673 for ; Mon, 5 Sep 2011 09:33:54 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from tower.berklix.org (tower.berklix.org [83.236.223.114]) by mx1.freebsd.org (Postfix) with ESMTP id 000278FC16 for ; Mon, 5 Sep 2011 09:33:52 +0000 (UTC) Received: from mart.js.berklix.net (pD9FBF76D.dip.t-dialin.net [217.251.247.109]) (authenticated bits=0) by tower.berklix.org (8.14.2/8.14.2) with ESMTP id p859XoDX054576; Mon, 5 Sep 2011 09:33:51 GMT (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by mart.js.berklix.net (8.14.3/8.14.3) with ESMTP id p859XQXs003275; Mon, 5 Sep 2011 11:33:27 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.4/8.14.4) with ESMTP id p859XEbP004874; Mon, 5 Sep 2011 09:33:20 GMT (envelope-from jhs@fire.js.berklix.net) Message-Id: <201109050933.p859XEbP004874@fire.js.berklix.net> To: ports@freebsd.org From: "Julian H. Stacey" Organization: http://www.berklix.com BSD Unix Linux Consultancy, Munich Germany User-agent: EXMH on FreeBSD http://www.berklix.com/free/ X-URL: http://www.berklix.com In-reply-to: Your message "Sun, 04 Sep 2011 21:36:55 BST." Date: Mon, 05 Sep 2011 11:33:14 +0200 Sender: jhs@berklix.com Cc: Chris Rees Subject: Re: sysutils/cfs X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Sep 2011 09:33:54 -0000 Chris Rees wrote: > On 4 September 2011 21:32, Julian H. Stacey wrote: > >> > >> Whoops, also missed a CVE -- buffer overflows can cause a DoS. > >> Expiration date altered to 1 month accordingly. > > > > It is not responsible to threaten to remove ports without warning > > between releases for non urgent reasons. > > > > Better to deprecate such non urgent ports, & wait a while after next > > release is rolled, to give release users a warning & some time > > to volunteer (or if a firm using releases, perhaps time to allocate > > a staff member if a port is important to them). > > Yeah... perhaps if there isn't a vulnerability. At the moment it's > marked FORBIDDEN, Correction: "At the moment" all those with 8.2-RELEASE/ports still see no FORBIDDEN, Only current "At the moment" sees FORBIDDEN=... DEPRECATED=... EXPIRATION_DATE=... > so it's useless Correction: A port marked FORBIDDEN is not "useless" but "forbidden", Ref.: /usr/ports/Mk/bsd.port.mk: # FORBIDDEN - Package build should not be attempted because of # security vulnerabilities. Users can delete FORBIDDEN & be aware there's an issue, & consider risk &/or volunteering to maintain. (in this particular case BTW, a mobile laptop with cfs & no net might not worry about remote attackers) > -- anyone who is serious about > fixing it at whatever time is welcome to check it out of the Attic -- Only any with CVS. Not anyone just with a release, who will find it gone between releases with no trace, warning, or reason given. > a slight inconvenience ... ^^^^^ A Major inconvenience to any release users, for which again no warning to Release was given. > for which we apologise. Not credible. Repeat drive by FreeBSD ports shootings are increasingly regular. The Attic is the standard myopic excuse, ignoring not all FreeBSD release users have CVS, or read daily bleeding edge current ports@ inc. threat of the day to destroy the next port. > In the mean time, the ports tree is not a > museum for ancient insecure bug-ridden software. Drive by code shootings should not occur without warning to release users, except in emergency. Cheers, Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultants Munich http://berklix.com Reply below, not above; Indent with "> "; Cumulative like a play script. Format: Plain text. Not HTML, multipart/alternative, base64, quoted-printable. http://www.softwarefreedomday.org 17th Sept, http://berklix.org/sfd/ Oct.