Re: git: 64fde89d4902 - main - databases/db5: nuke SQL option and abandon port

Reply: Matthias Fechner : "Re: git: 64fde89d4902 - main - databases/db5: nuke SQL option and abandon port"
In reply to: Matthias Andree : "git: 64fde89d4902 - main - databases/db5: nuke SQL option and abandon port"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Craig Leres <leres_at_freebsd.org>
Date: Mon, 07 Feb 2022 20:31:13 UTC

On 1/26/22 15:01, Matthias Andree wrote:
> The branch main has been updated by mandree:
> 
> URL:https://cgit.FreeBSD.org/ports/commit/?id=64fde89d49029e00b86e66041f3dfda16725ead7
> 
> commit 64fde89d49029e00b86e66041f3dfda16725ead7
> Author:     Matthias Andree<mandree@FreeBSD.org>
> AuthorDate: 2022-01-26 22:41:18 +0000
> Commit:     Matthias Andree<mandree@FreeBSD.org>
> CommitDate: 2022-01-26 22:59:35 +0000
> 
>      databases/db5: nuke SQL option and abandon port
>      
>      Security:       CVE-2019-8457
>      
>      The SQL option is vulnerable, and since this feature was always marked
>      experimental, nuke it, and backport to 2022Q1.
>      If someone needs the SQL interface in spite of its vulnerability,
>      please use: pkg lock -y db5.
>      
>      MFH:            2022Q1
>      
>      I am marking the port for expiry and abandoning it because I will no
>      longer spend the increasing efforts to play hide and seek with Oracle's
>      patches, or backport sometimes bigger Linux distro patches (Red Hat,
>      Debian, who else?), or otherwise put up with how they have changed
>      availability of patches, documentation, or important information.
>      
>      FOR db5 USERS:
>      
>      One option is to upgrade to db18, but note that db versions 6 and 18
>      are under the Affero GNU GPL v3 license, with implications for,
>      among others, software-as-a-service, and distributability of packages
>      linking against db.  This is in stark contrast with db5's Sleepycat license.
>      
>      POTENTIAL MAINTAINERS:
>      
>      If someone wants to adopt this, review all the various patches in the
>      major other BSD distros and Linux distros, check if their patches can be
>      licensed under a sufficiently liberal license (ideally, MIT-like or
>      Sleepycat) and see what you need to import.

I see that this change leaves us with the BDB_DEFAULT version of bdb 
marked for deprecation (see appended). Should the default change to 18?

		Craig

Message from db5-5.3.28_8:

--
===>   NOTICE:

The db5 port currently does not have a maintainer. As a result, it is
more likely to have unresolved issues, not be up-to-date, or even be 
removed in
the future. To volunteer to maintain this port, please create an issue at:

https://bugs.freebsd.org/bugzilla

More information about port maintainership is available at:

https://docs.freebsd.org/en/articles/contributing/#ports-contributing
--
===>   NOTICE:

This port is deprecated; you may wish to reconsider installing it:

EOLd, potential security issues, maybe use db18 instead.

It is scheduled to be removed on or after 2022-06-30.