Date: Wed, 07 Sep 2011 00:07:03 -0700 From: perryh@pluto.rain.com To: dougb@freebsd.org Cc: ports@freebsd.org, jhs@berklix.com, utisoft@gmail.com Subject: Re: sysutils/cfs Message-ID: <4e671817.ddHMkPbq9dJ7tLMz%perryh@pluto.rain.com> In-Reply-To: <4E6581E2.1060502@FreeBSD.org> References: <201109050933.p859XEbP004874@fire.js.berklix.net> <4E64C35A.50004@FreeBSD.org> <4e65b42e.M5K%2Bto11vAdk/UTk%perryh@pluto.rain.com> <4E6581E2.1060502@FreeBSD.org>
index | next in thread | previous in thread | raw e-mail
Doug Barton <dougb@freebsd.org> wrote: > >>>>> Better to deprecate such non urgent ports, & wait a while > >>>>> after next release is rolled, to give release users a warning > >>>>> & some time to volunteer ... > >> > >> That's an interesting idea, but incredibly unlikely to happen. > > > > It _certainly_ won't happen if those in charge refuse to try it! > > My point was that the idea is impractical. I was trying to be polite. How is it impractical to, as a rule, set an expiration date based on an anticipated future release date rather than only a month or two out from when the decision is made? (Note that this is in no way exclusive with setting FORBIDDEN, and/or making an entry in the portaudit database, immediately upon discovering a vulnerability.) > > My *guess* is that "the largest percentage of our users" are what > > Julian calls "release users" -- those who install a release and > > corresponding ports, and don't touch it subsequently until they > > become aware of a problem. They _may_ follow the security branch > > for their base release, but that won't make them aware of issues > > that have turned up in ports. > > For security issues we have portaudit to handle this. Provided it is installed and activated. Perhaps it should be made into a part of the ports infrastructure, or even moved into the base, so as to be present on any machine having packages installed?home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4e671817.ddHMkPbq9dJ7tLMz%perryh>