[Bug 287391] textproc/libxml2: security patches for 2.11.9

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=287391

--- Comment #20 from Daniel Engberg <diizzy@FreeBSD.org> ---
(In reply to Torsten Zuehlsdorff from comment #18)
While I understand that this issue should be fixed I'm also quite surprised at
the approach.

To summarize, none of the remainging PRs listed in 279705 are showstoppers.
PR 280158 (java/openjfx14) will cause a few fallouts but none are crucial and
in terms of security openjfx14 is about 5 years old and supported ended
upstream a long time ago. graphics/librsvg2 (non rust) also fails, this is also
legacy and deprecated upstream but we still have this in tree for some Tier
3(?) arch [1] which again isn't crucial. Rest are mainly leaf ports with no (by
default) consumers and/or have patches that can only be applied once a new
version of libxml2 has landed. The majority is however dead upstream or
outdated in our tree which likely should be removed due security concerns but
there are no policies about deprecation so we keep on adding more to the pile
and keep falling more behind.

What makes me more curious is how the idea of applying something _unsupported_
by upstream and _barely_ tested seems like a better idea. Pull in 2.14.4 (patch
is available), deal with the fallout (which has been reported for months) and
be done with it.

1: https://cgit.freebsd.org/ports/tree/Mk/bsd.default-versions.mk#n84

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.