sysutils/cfs
Matthias Andree
mandree at FreeBSD.org
Mon Sep 5 19:07:07 UTC 2011
Am 05.09.2011 20:29, schrieb Mikhail T.:
> On 05.09.2011 13:32, Chris Rees wrote:
>> If it's not that hard to fix then do it.
> Before doing it, I wanted to confirm, that there are no other, more
> serious vulnerabilities.
>
> Things, for which no fixes have been posted -- unlike for this
> particular one, which Debian fixed several years ago (before dropping it
> for whatever reasons).
>
> Instead of confirming (or denying), you yelled at me. Ouch...
I don't see yelling.
Note that Chris isn't obliged to research things that you are interested
in but he isn't -- that expectation of yours is over the top.
He's not your research slave^Wstudent.
The point is that Chris isn't interested in fixing dead ports with known
bugs, and keeping known-broken ports in the tree is dangerous to our
users no matter if it's locally or remotely exploitable.
Typically ports with buffer overflow vulnerabilities have more issues
than the discovered ones, and unless the port is _actively_ maintained
it's better to remove it, lest users shout at us for letting them run
into this knife without our telling them.
So either Kostik, or you, or someone else steps up to maintain the port
at least to the extent that the known security bugs and reported bugs
get fixed, or to hell the port goes.
If neither of you is to become the maintainer, EXPIRATION_DATE stands.
Regarding Kostik's "damage to the project", keeping known broken ports
around isn't fostering our reputation either.
And, repeat message: once someone steps up to fix the issues, the port
can be revived. It happens.
Anyways, there are four weeks to fix the issues in the port.
More information about the freebsd-ports
mailing list