Recent ports removal

[Baptiste Daroussin]

On Wed, Nov 09, 2011 at 12:43:25PM -0800, Stanislav Sedov wrote:
> Hi!
> 
> I noticed the following in the commit log:
> %
> %  Modified files:
> %    .                    MOVED 
> %    devel                Makefile 
> %    graphics             Makefile 
> %  Removed files:
> %    devel/soup           Makefile distinfo pkg-descr pkg-plist 
> %    devel/soup/files     patch-Makefile.in patch-configure 
> %                         patch-docs::reference::Makefile.in 
> %                         patch-soup-0.7.11-gcc41 
> %                         patch-src_libsoup_soup-message.c 
> %                         patch-src_libwsdl_wsdl-soap-memory.c 
> %                         patch-src_libwsdl_wsdl-soap-parse.c 
> %                         patch-src_libwsdl_wsdl-typecodes.c 
> %    graphics/clutter-qt  Makefile distinfo pkg-descr pkg-plist 
> %    graphics/librsvg     Makefile distinfo pkg-descr pkg-plist 
> %    graphics/librsvg/files patch-Makefile.in patch-configure 
> %                           patch-librsvg-config.in patch-rsvg-ft.c 
> %                           patch-test-ft-gtk.c patch-test-ft.c 
> %    graphics/p5-clutter  Makefile distinfo pkg-descr pkg-plist 
> %  Log:
> %  2011-11-06 devel/soup: Unmaintain, use devel/libsoup
> %  2011-11-06 graphics/clutter-qt: upstream distfile and doesn't build, and %doesn't seem to be developed anymore
> %  2011-11-06 graphics/p5-clutter: upstream distfile disappeard, and doesn't seem to be developed anymore
> %  2011-11-06 graphics/librsvg: unmaintained and not used anymore
> 
> I just cannot get the commit message. librsvg -- not used by whom?  Personally,
> I used it in one of my older projects (~ 10 years old) which I don't plan
> to rework to use rsvg2/gtk2 because it doesn't make sense for it.  So how
> do I use my project now on FreeBSD?
> 
> It's also a lie that it's not maintained, it's maintained by ports@ mailing
> list and the community.  So please, restore it.
> 
> The same also probably goes for other ports, but I don't have enough details
> to comment.
> 
> Thanks!
> 

They have been deprecated for a while and noone said anything about those, that
is the purpose of the DEPRECATED status. The "not used anymore" mean not used in
the portstree (ie no more depended on).

If someone really needs it, he can: 
1- install it by hand
2- maintain the port
3- just come up when someone deprecate it saying please undeprecate I really
need it.
4- they should be a lot more options.

I has been deprecated and removed just because upstream don't maintain it, no
one looks at the "maybe" security problem if any etc.

Of course it could have been a mistake to remove this one in particular, in that
case sorry about that.

Concerning the fact that it is "maintained" by ports@, if it would really be the
case why it is still in the tree while it depends on libxml1 for which in about
5s I find a security issue:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1944 which hasn't been
reported and hasn't been fixed at all, which means librsvg1 is also vulnerable. 

the problem is that those ports abandonned upstream are not really maintain
anymore, and can lead to a real security problem.


note that I don't know yet how the libxml1 vulnerability can have an impact on
librsvg, this is just a 5s example.

regards,
Bapt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20111109/0b91d5e2/attachment.pgp