[Bug 287391] textproc/libxml2: security patches for 2.11.9

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=287391

--- Comment #33 from Florian Smeets <flo@FreeBSD.org> ---
(In reply to Charlie Li from comment #27)

> For future reference, considering upstream's current stance on security issues, please do not add vuxml/CVE entries against this port unless fix(es) for the same vuxml/CVE entry is committed upstream (open issues and merge requests do not count).

No, that's certainly not how it works. Upstream's recent announcement regarding
security issues has nothing to do with FreeBSD ports. When we have vulnerable
software in ports, it gets marked vulnerable in vuxml, period.

Hiding vulnerabilities is a disservice to our users. If there is an
announcement, everybody can react the way they need to. In this case, the
pressure finally made you commit the backports instead of discouraging
submitters and committers who wanted to do the right thing.

It's really beyond me how two committers can be so stubbornly arguing against
security fixes. There's people trying to run professional services with FreeBSD
and ports/pkgs.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.