Update for JPI_LIST.

Jeremy Messenger mezz7 at cox.net
Fri Sep 23 13:43:28 PDT 2005 

On Fri, 23 Sep 2005 15:23:08 -0500, Joe Marcus Clarke  
<marcus at marcuscom.com> wrote:

> On Fri, 2005-09-23 at 15:21 -0500, Jeremy Messenger wrote:
>> On Fri, 23 Sep 2005 13:18:57 -0500, Greg Lewis <glewis at eyesbeyond.com>
>> wrote:
>>
>> > On Fri, Sep 23, 2005 at 12:33:37PM -0500, Jeremy Messenger wrote:
>> >> On Fri, 23 Sep 2005 12:00:32 -0500, Greg Lewis  
>> <glewis at eyesbeyond.com>
>> >> wrote:
>> >> >All,
>> >> >
>> >> >Attached is a patch to update the JPI_LIST variable in the firefox,
>> >> >mozilla and mozilla-devel ports.  It removes the 1.3.1 plugins  
>> (these
>> >> >have had security problems for some time), the 1.4.1 plugin (ditto
>> >> >plus anyone using 1.4 almost certainly has 1.4.2) and
>> >>
>> >> Leave them alone are probably the best thing to do, since they exist  
>> in
>> >> ports tree and if one of them have any security issue then Java port
>> >> should be disable, not us. Also, it's up to the user's decision if  
>> they
>> >> want to use old Java as they exist in ports tree.
>> >>
>> >> Well, if old Java will not work with Firefox at all then the remove  
>> is
>> >> reasonable.
>> >
>> > The ports themselves have either been FORBIDDEN when the plugin is
>> > requested (1.3.1) or completely superseded (1.4.1).  The problem is
>> > that if they installed the ports prior to the security alerts then
>> > the browser will automatically create this link for them without
>> > their knowledge and leave them vulnerable.  I think we would do our
>> > users a disservice by leaving them there.
>> >
>> > I can't comment as to whether the old plugins work with Firefox,
>> > although I can give them a try tonight and find out.
>> >
>> >> >corrects the patch for the 1.5.0 plugin now that we have
>> >> >functioning.
>> >> >
>> >> >Any objections?
>> >>
>> >> No object for 1.5.0 plugin fix, but let me merge your fix of 1.5.0
>> >> plugin
>> >> with another fix that will do the bump PORTREVISION at the same  
>> time. I
>> >> will commit it in the evening to see if your topic will get more
>> >> feedback.
>> >
>> > If its more convenient to merge it in then by all means do that :).
>>
>> Okay, I think I will go with your full patch. Hey team, what do you  
>> think?
>> jdk13 depends on gtk12 and is out of date, there is no 1.4.1 in ports
>> tree. At last, it should be no big deal because there is no Java  
>> package.
>>
>> Honestly, I think leave them alone is harmless.
>
> Kill the old VMs!

Committed, glewis, thanks for submitted the patch!

Cheers,
Mezz

> Joe


-- 
mezz7 at cox.net  -  mezz at FreeBSD.org
FreeBSD GNOME Team
http://www.FreeBSD.org/gnome/  -  gnome at FreeBSD.org

More information about the freebsd-gnome mailing list