Date: Mon, 05 Sep 2011 11:33:14 +0200 From: "Julian H. Stacey" <jhs@berklix.com> To: ports@freebsd.org Cc: Chris Rees <utisoft@gmail.com> Subject: Re: sysutils/cfs Message-ID: <201109050933.p859XEbP004874@fire.js.berklix.net> In-Reply-To: Your message "Sun, 04 Sep 2011 21:36:55 BST." <CADLo83_=3KtO4yJfqVXXfL%2Bqwvne5m0KAA8GVw8=esV%2BBacP=w@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Chris Rees wrote: > On 4 September 2011 21:32, Julian H. Stacey <jhs@berklix.com> wrote: > >> > >> Whoops, also missed a CVE -- buffer overflows can cause a DoS. > >> Expiration date altered to 1 month accordingly. > > > > It is not responsible to threaten to remove ports without warning > > between releases for non urgent reasons. > > > > Better to deprecate such non urgent ports, & wait a while after next > > release is rolled, to give release users a warning & some time > > to volunteer (or if a firm using releases, perhaps time to allocate > > a staff member if a port is important to them). > > Yeah... perhaps if there isn't a vulnerability. At the moment it's > marked FORBIDDEN, Correction: "At the moment" all those with 8.2-RELEASE/ports still see no FORBIDDEN, Only current "At the moment" sees FORBIDDEN=... DEPRECATED=... EXPIRATION_DATE=... > so it's useless Correction: A port marked FORBIDDEN is not "useless" but "forbidden", Ref.: /usr/ports/Mk/bsd.port.mk: # FORBIDDEN - Package build should not be attempted because of # security vulnerabilities. Users can delete FORBIDDEN & be aware there's an issue, & consider risk &/or volunteering to maintain. (in this particular case BTW, a mobile laptop with cfs & no net might not worry about remote attackers) > -- anyone who is serious about > fixing it at whatever time is welcome to check it out of the Attic -- Only any with CVS. Not anyone just with a release, who will find it gone between releases with no trace, warning, or reason given. > a slight inconvenience ... ^^^^^ A Major inconvenience to any release users, for which again no warning to Release was given. > for which we apologise. Not credible. Repeat drive by FreeBSD ports shootings are increasingly regular. The Attic is the standard myopic excuse, ignoring not all FreeBSD release users have CVS, or read daily bleeding edge current ports@ inc. threat of the day to destroy the next port. > In the mean time, <record class="broken">the ports tree is not a > museum for ancient insecure bug-ridden software</record>. Drive by code shootings should not occur without warning to release users, except in emergency. Cheers, Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultants Munich http://berklix.com Reply below, not above; Indent with "> "; Cumulative like a play script. Format: Plain text. Not HTML, multipart/alternative, base64, quoted-printable. http://www.softwarefreedomday.org 17th Sept, http://berklix.org/sfd/ Oct.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201109050933.p859XEbP004874>