sysutils/cfs
perryh at pluto.rain.com
perryh at pluto.rain.com
Wed Sep 7 00:16:08 UTC 2011
Doug Barton <dougb at freebsd.org> wrote:
> >>>>> Better to deprecate such non urgent ports, & wait a while
> >>>>> after next release is rolled, to give release users a warning
> >>>>> & some time to volunteer ...
> >>
> >> That's an interesting idea, but incredibly unlikely to happen.
> >
> > It _certainly_ won't happen if those in charge refuse to try it!
>
> My point was that the idea is impractical. I was trying to be polite.
How is it impractical to, as a rule, set an expiration date based
on an anticipated future release date rather than only a month or
two out from when the decision is made? (Note that this is in no
way exclusive with setting FORBIDDEN, and/or making an entry in the
portaudit database, immediately upon discovering a vulnerability.)
> > My *guess* is that "the largest percentage of our users" are what
> > Julian calls "release users" -- those who install a release and
> > corresponding ports, and don't touch it subsequently until they
> > become aware of a problem. They _may_ follow the security branch
> > for their base release, but that won't make them aware of issues
> > that have turned up in ports.
>
> For security issues we have portaudit to handle this.
Provided it is installed and activated. Perhaps it should be made
into a part of the ports infrastructure, or even moved into the
base, so as to be present on any machine having packages installed?
More information about the freebsd-ports
mailing list