Update for JPI_LIST.
Joe Marcus Clarke
marcus at marcuscom.com
Fri Sep 23 13:23:40 PDT 2005
On Fri, 2005-09-23 at 15:21 -0500, Jeremy Messenger wrote:
> On Fri, 23 Sep 2005 13:18:57 -0500, Greg Lewis <glewis at eyesbeyond.com>
> > On Fri, Sep 23, 2005 at 12:33:37PM -0500, Jeremy Messenger wrote:
> >> On Fri, 23 Sep 2005 12:00:32 -0500, Greg Lewis <glewis at eyesbeyond.com>
> >> wrote:
> >> >All,
> >> >
> >> >Attached is a patch to update the JPI_LIST variable in the firefox,
> >> >mozilla and mozilla-devel ports. It removes the 1.3.1 plugins (these
> >> >have had security problems for some time), the 1.4.1 plugin (ditto
> >> >plus anyone using 1.4 almost certainly has 1.4.2) and
> >> Leave them alone are probably the best thing to do, since they exist in
> >> ports tree and if one of them have any security issue then Java port
> >> should be disable, not us. Also, it's up to the user's decision if they
> >> want to use old Java as they exist in ports tree.
> >> Well, if old Java will not work with Firefox at all then the remove is
> >> reasonable.
> > The ports themselves have either been FORBIDDEN when the plugin is
> > requested (1.3.1) or completely superseded (1.4.1). The problem is
> > that if they installed the ports prior to the security alerts then
> > the browser will automatically create this link for them without
> > their knowledge and leave them vulnerable. I think we would do our
> > users a disservice by leaving them there.
> > I can't comment as to whether the old plugins work with Firefox,
> > although I can give them a try tonight and find out.
> >> >corrects the patch for the 1.5.0 plugin now that we have
> >> >functioning.
> >> >
> >> >Any objections?
> >> No object for 1.5.0 plugin fix, but let me merge your fix of 1.5.0
> >> plugin
> >> with another fix that will do the bump PORTREVISION at the same time. I
> >> will commit it in the evening to see if your topic will get more
> >> feedback.
> > If its more convenient to merge it in then by all means do that :).
> Okay, I think I will go with your full patch. Hey team, what do you think?
> jdk13 depends on gtk12 and is out of date, there is no 1.4.1 in ports
> tree. At last, it should be no big deal because there is no Java package.
> Honestly, I think leave them alone is harmless.
Kill the old VMs!
PGP Key : http://www.marcuscom.com/pgp.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.freebsd.org/pipermail/freebsd-gnome/attachments/20050923/d8139ff0/attachment.bin
More information about the freebsd-gnome