[Bug 287391] textproc/libxml2: security patches for 2.11.9

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=287391

--- Comment #28 from Einar Bjarni Halldórsson <einar@isnic.is> ---
(In reply to Charlie Li from comment #27)

> For future reference, considering upstream's current stance on security issues, please do not add vuxml/CVE entries against this port unless fix(es) for the same vuxml/CVE entry is committed upstream (open issues and merge requests do not count). Remember that both upstream and desktop@ are ultimately volunteers.

I disagree very strongly. If there is a known vulnerability, it should be in
vuxml. Not publishing known vulnerabilities because of upstream's policy
doesn't mean end users shouldn't be aware of known security vulnerabilites in
the code they're running.

I'm not blaming upstream, he's obviously burnt out and doing what he needs to
carry on, but I'd rather have vulnerabilities in vuxml for a long time then not
know about them.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.