sysutils/cfs
Julian H. Stacey
jhs at berklix.com
Mon Sep 5 09:33:54 UTC 2011
Chris Rees wrote:
> On 4 September 2011 21:32, Julian H. Stacey <jhs at berklix.com> wrote:
> >>
> >> Whoops, also missed a CVE -- buffer overflows can cause a DoS.
> >> Expiration date altered to 1 month accordingly.
> >
> > It is not responsible to threaten to remove ports without warning
> > between releases for non urgent reasons.
> >
> > Better to deprecate such non urgent ports, & wait a while after next
> > release is rolled, to give release users a warning & some time
> > to volunteer (or if a firm using releases, perhaps time to allocate
> > a staff member if a port is important to them).
>
> Yeah... perhaps if there isn't a vulnerability. At the moment it's
> marked FORBIDDEN,
Correction:
"At the moment" all those with 8.2-RELEASE/ports still see no FORBIDDEN,
Only current "At the moment" sees
FORBIDDEN=...
DEPRECATED=...
EXPIRATION_DATE=...
> so it's useless
Correction:
A port marked FORBIDDEN is not "useless" but "forbidden", Ref.:
/usr/ports/Mk/bsd.port.mk:
# FORBIDDEN - Package build should not be attempted because of
# security vulnerabilities.
Users can delete FORBIDDEN & be aware there's an issue, &
consider risk &/or volunteering to maintain.
(in this particular case BTW, a mobile laptop with cfs & no net
might not worry about remote attackers)
> -- anyone who is serious about
> fixing it at whatever time is welcome to check it out of the Attic --
Only any with CVS. Not anyone just with a release, who will find
it gone between releases with no trace, warning, or reason given.
> a slight inconvenience
... ^^^^^
A Major inconvenience to any release users,
for which again no warning to Release was given.
> for which we apologise.
Not credible.
Repeat drive by FreeBSD ports shootings are increasingly regular.
The Attic is the standard myopic excuse, ignoring not all FreeBSD
release users have CVS, or read daily bleeding edge current ports@ inc.
threat of the day to destroy the next port.
> In the mean time, <record class="broken">the ports tree is not a
> museum for ancient insecure bug-ridden software</record>.
Drive by code shootings should not occur without warning to release
users, except in emergency.
Cheers,
Julian
--
Julian Stacey, BSD Unix Linux C Sys Eng Consultants Munich http://berklix.com
Reply below, not above; Indent with "> "; Cumulative like a play script.
Format: Plain text. Not HTML, multipart/alternative, base64, quoted-printable.
http://www.softwarefreedomday.org 17th Sept, http://berklix.org/sfd/ Oct.
More information about the freebsd-ports
mailing list