Date: Wed, 7 Sep 2011 13:55:08 +0200 From: Erik Trulsson <ertr1013@student.uu.se> To: Peter Jeremy <peterjeremy@acm.org> Cc: ports@freebsd.org Subject: Re: sysutils/cfs Message-ID: <20110907115508.GA95119@owl.midgard.homeip.net> In-Reply-To: <20110907113707.GA30349@server.vk2pj.dyndns.org> References: <201109050933.p859XEbP004874@fire.js.berklix.net> <4E64C35A.50004@FreeBSD.org> <4e65b42e.M5K%2Bto11vAdk/UTk%perryh@pluto.rain.com> <4E6581E2.1060502@FreeBSD.org> <4e671817.ddHMkPbq9dJ7tLMz%perryh@pluto.rain.com> <4E66EFC5.3020201@FreeBSD.org> <4e67a3b2.CVKcpQ8KQzuo8BP%2B%perryh@pluto.rain.com> <20110907113707.GA30349@server.vk2pj.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Sep 07, 2011 at 09:37:07PM +1000, Peter Jeremy wrote: > On 2011-Sep-06 23:30:04 -0700, Stanislav Sedov <stas@FreeBSD.org> wrote: > >What about requiring that the ports deprecated should be either broken > >or have known published vulnerabilties for a long period of > >time (say 6 months) for the start? > > This might be reasonable for broken ports but ports with known > vulnerabilities should either be fixed or removed promptly. That depends somewhat on the exact nature of the vulnerability. Depending on how the port is used a given vulnerability might not be a problem. (E.g. if a port has a vulnerability which allows a local user to become root, then it is a problem for multi-user systems with untrusted users, but for a system which only has a single user or only trusted users it would not be a significant problem.) If a port can be used safely despite existing vulnerabilities it is not at all clear it need to be removed quickly even if it is not fixed. (Marking it FORBIDDEN so potential users are warned about known problems is another thing.) -- <Insert your favourite quote here.> Erik Trulsson ertr1013@student.uu.se
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110907115508.GA95119>