Re: git: a18dfb61a2c9 - main - textproc/libxml2: Update to 2.14.4

On 23.06.25 13:15, Charlie Li wrote:
> Torsten Zuehlsdorff wrote:
>> Indeed. He got my (conditional) approval, like you can read in the 
>> linked comments.
>>
>> Since Daniel did not push any unapproved ports, I don’t see any basis 
>> for a formal warning here.
>>
> The wholesale update in the form that was pushed and reverted by me, 
> with desktop@ hat, was never approved by desktop@, end of story. 

That’s one interpretation, but I think the situation is more nuanced.

First of all there is no formal limit to whats ports-sec can approve, as 
long as it is about fixing security issues.

Secondly there is no defined hierarchy, so it is unclear if desktop@ is 
allowed to overwrite port-sec and vice versa. In this case, I’d argue 
the security aspect justified my involvement.

Thirdly in such overlapping scenarios it is unclear who is needed for 
approval at all. Either of desktop, port-secteam or both in this 
specific scenario.

> Even 
> though the update included fixes for vuxml entries, it also included 
> much more than that, which goes beyond the strict scoping of ports- 
> secteam@ and thus needs maintainer approval. What I ultimately pushed 
> would have been a bit more okay under ports-secteam@ approval under 
> certain circumstances.

Fair point on the scope, but I don’t see ports-secteam approval for your 
changes either, so I’d be careful drawing that line too sharply.

I felt the need to step in, since - as documented in the PR - there was 
no clear path to handle the security issues, but a deadlock in different 
points of views, preferences and taken actions. The update PR has been 
open for 12 months (!) and was being used to block the security fix - 
without any reliable estimate on when that update would be ready. From a 
security standpoint, that’s not acceptable.

With more kindness and openness in the discussions they situation could 
have gone way smoother.

Best,
Torsten