Date: Fri, 5 Dec 2025 17:07:34 +0100 From: Robert Clausecker <fuz@fuz.su> To: Adam Weinberger <adamw@freebsd.org> Cc: Michael Gmelin <grembo@freebsd.org>, ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, dev-commits-ports-main@freebsd.org Subject: Re: git: f45b1d07f50b - main - many: Unsupported Go dep; deprecate and schedule for removal Message-ID: <aTMDRtvwzBzXi2er@fuz.su> In-Reply-To: <CAP7rwcgh1qbY29Yn8TqxXyQjsM1tBwakJjm=oosq7xHnG64ETw@mail.gmail.com> References: <6932e88b.2dbf8.7aad26de@gitrepo.freebsd.org> <aTL4-HmeB5utBsO1@fuz.su> <20251205165440.4359b77f.grembo@freebsd.org> <CAP7rwcgh1qbY29Yn8TqxXyQjsM1tBwakJjm=oosq7xHnG64ETw@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
Hi Adam, Please follow Porter's Handbook which gives 1 month for security issues or 2 months for build issues. Note that a CVE in the toolchain does not mean that applications built with it are affected, that's only the case if the application uses the affected component, so it's usually not a security issue. IMHO it should be 3 months though. Yours, Robert Clausecker Am Fri, Dec 05, 2025 at 11:04:45AM -0500 schrieb Adam Weinberger: > On Fri, Dec 5, 2025 at 10:54 AM Michael Gmelin <grembo@freebsd.org> wrote: > > > (sorry for top posting) > > > > Note: > > > > This should be > > > > USES= go:modules > > > > otherwise you'll see > > > > Unknown USES=go,modules > > > > Oops, good catch! I *knew* I was going to make that mistake. For some > reason, my fingers always want to put a comma instead of a colon there. > > Can I modify, test, and undeprecate ports I depend on, or am I supposed > > to open PRs for each affected port, then wait for a maintainer timeout > > and fix it between Christmas and New Years? > > > Hi Michael, great thought! Yes, absolutely this should be covered under the > just-fix-it blanket approval. > > As for the time-frame, I put 1 month because it's a small number of ports > and it's trivial to test and fix. If people want more time, I'm happy to > extend the expiration date if there is a consensus opinion about what it > should be. I feel pretty strongly that it should be no later than the 1.26 > release date. > > I think the next step is to set all go 1.24 ports to expire when 1.26 comes > out (at which point 1.24 will be unsupported), which will be > mid-February-ish. Does that sound right? > > > -- > Adam Weinberger > adamw@adamw.org // adamw@FreeBSD.org -- () ascii ribbon campaign - for an encoding-agnostic world /\ - against html email - against proprietary attachmentshome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?aTMDRtvwzBzXi2er>