Why Are You NOT Using FreeBSD?

[Adam Strohl]

On 6/3/2012 17:24, Etienne Robillard wrote:
> Technical debt perhaps counts when upstream vendor "new versions" breaks
> things unexpectingly ?

For this to happen though that means one of two things:

1. The port maintainer has updated the port to grab this new version, 
and tested it (and it worked) then committed the change.  And now it 
doesn't work for some people/setups.  They need to know and fix it.

2. Then the upstream vendor, behind everyone's back, changes the code 
inside the distro file(s).  This then breaks the MD5/SHA256 check.   The 
port maintainer needs to know so they can fix it.

For #1 I see it as delaying the fix ("I won't report my problem, I'll 
just use an old version").

For #2 Having an old version of the ports tree wouldn't solve this issue 
since it was prompted by a change by the vendor to begin with.

I feel like this thread is grossly overstating how often ports are 
broken which is super rare in my experience. Proposing a version'd ports 
tree seems like a bad-practice-encouraging-solution to a problem that 
doesn't really exist [in my experience].

And it is bad practice.  There is a constant stream of security issues 
being discovered and ignoring them is totally inappropriate.

Yes there are rare situations where you have to make a trade off on 
security to fit some highly specialized need but I wouldn't want that to 
be encouraged and it certainly isn't the solution to broken ports.

P.S.
Not subbed to -ports, CC me on replies.