From owner-freebsd-ports@FreeBSD.ORG Wed Sep 7 12:07:31 2011 Return-Path: Delivered-To: ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 56902106567B for ; Wed, 7 Sep 2011 12:07:31 +0000 (UTC) (envelope-from erikt@midgard.homeip.net) Received: from ch-smtp05.sth.basefarm.net (ch-smtp05.sth.basefarm.net [80.76.153.6]) by mx1.freebsd.org (Postfix) with ESMTP id D313B8FC1E for ; Wed, 7 Sep 2011 12:07:30 +0000 (UTC) Received: from c83-255-51-20.bredband.comhem.se ([83.255.51.20]:49085 helo=falcon.midgard.homeip.net) by ch-smtp05.sth.basefarm.net with esmtp (Exim 4.76) (envelope-from ) id 1R1GiG-0006Gv-Ia for ports@freebsd.org; Wed, 07 Sep 2011 13:54:42 +0200 Received: (qmail 83073 invoked from network); 7 Sep 2011 13:54:38 +0200 Received: from owl.midgard.homeip.net (10.1.5.7) by falcon.midgard.homeip.net with ESMTP; 7 Sep 2011 13:54:38 +0200 Received: (qmail 95176 invoked by uid 1001); 7 Sep 2011 13:55:08 +0200 Date: Wed, 7 Sep 2011 13:55:08 +0200 From: Erik Trulsson To: Peter Jeremy Message-ID: <20110907115508.GA95119@owl.midgard.homeip.net> References: <201109050933.p859XEbP004874@fire.js.berklix.net> <4E64C35A.50004@FreeBSD.org> <4e65b42e.M5K+to11vAdk/UTk%perryh@pluto.rain.com> <4E6581E2.1060502@FreeBSD.org> <4e671817.ddHMkPbq9dJ7tLMz%perryh@pluto.rain.com> <4E66EFC5.3020201@FreeBSD.org> <4e67a3b2.CVKcpQ8KQzuo8BP+%perryh@pluto.rain.com> <20110907113707.GA30349@server.vk2pj.dyndns.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20110907113707.GA30349@server.vk2pj.dyndns.org> User-Agent: Mutt/1.5.21 (2010-09-15) X-Originating-IP: 83.255.51.20 X-Scan-Result: No virus found in message 1R1GiG-0006Gv-Ia. X-Scan-Signature: ch-smtp05.sth.basefarm.net 1R1GiG-0006Gv-Ia cf9b33556d74282d9b17aea01f5a0a4d Cc: ports@freebsd.org Subject: Re: sysutils/cfs X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Sep 2011 12:07:31 -0000 On Wed, Sep 07, 2011 at 09:37:07PM +1000, Peter Jeremy wrote: > On 2011-Sep-06 23:30:04 -0700, Stanislav Sedov wrote: > >What about requiring that the ports deprecated should be either broken > >or have known published vulnerabilties for a long period of > >time (say 6 months) for the start? > > This might be reasonable for broken ports but ports with known > vulnerabilities should either be fixed or removed promptly. That depends somewhat on the exact nature of the vulnerability. Depending on how the port is used a given vulnerability might not be a problem. (E.g. if a port has a vulnerability which allows a local user to become root, then it is a problem for multi-user systems with untrusted users, but for a system which only has a single user or only trusted users it would not be a significant problem.) If a port can be used safely despite existing vulnerabilities it is not at all clear it need to be removed quickly even if it is not fixed. (Marking it FORBIDDEN so potential users are warned about known problems is another thing.) -- Erik Trulsson ertr1013@student.uu.se