Date: Mon, 05 Sep 2011 21:06:55 +0200 From: Matthias Andree <mandree@FreeBSD.org> To: freebsd-ports@freebsd.org Subject: Re: sysutils/cfs Message-ID: <4E651DCF.30605@FreeBSD.org> In-Reply-To: <4E651518.8070700@aldan.algebra.com> References: <CADLo838g=r3C4pHVteObPYrA6VxB7%2B4banaEXeVrPwGD7MDAtg@mail.gmail.com> <CADLo83_A%2BOh%2Bi4ZFQ=KnZyvBk0h2pf%2BbJnjhYHm=5UyacjE3cA@mail.gmail.com> <4E6503C2.5080002@aldan.algebra.com> <CADLo838bxRPmJS-qzRF9wzGseKr6CoxoXEWb0rmcYDfhK_ZLQg@mail.gmail.com> <4E651518.8070700@aldan.algebra.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Am 05.09.2011 20:29, schrieb Mikhail T.: > On 05.09.2011 13:32, Chris Rees wrote: >> If it's not that hard to fix then do it. > Before doing it, I wanted to confirm, that there are no other, more > serious vulnerabilities. > > Things, for which no fixes have been posted -- unlike for this > particular one, which Debian fixed several years ago (before dropping it > for whatever reasons). > > Instead of confirming (or denying), you yelled at me. Ouch... I don't see yelling. Note that Chris isn't obliged to research things that you are interested in but he isn't -- that expectation of yours is over the top. He's not your research slave^Wstudent. The point is that Chris isn't interested in fixing dead ports with known bugs, and keeping known-broken ports in the tree is dangerous to our users no matter if it's locally or remotely exploitable. Typically ports with buffer overflow vulnerabilities have more issues than the discovered ones, and unless the port is _actively_ maintained it's better to remove it, lest users shout at us for letting them run into this knife without our telling them. So either Kostik, or you, or someone else steps up to maintain the port at least to the extent that the known security bugs and reported bugs get fixed, or to hell the port goes. If neither of you is to become the maintainer, EXPIRATION_DATE stands. Regarding Kostik's "damage to the project", keeping known broken ports around isn't fostering our reputation either. And, repeat message: once someone steps up to fix the issues, the port can be revived. It happens. Anyways, there are four weeks to fix the issues in the port.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4E651DCF.30605>