saving a few ports from death

Eitan Adler lists at
Wed Apr 27 21:06:28 UTC 2011

>> apache13 is EOL upstream. We should not have ports for EOL software.
> Why not, exactly?..

What happens if a security hole or a bug is found? Are we the ones to
fix it? If yes are we to host the patches? Where should the bug
reports go to - our bug tracker? What if our implementation ceases to
match established documentation? Should we host the docs too?

The ports collection is one of *third party* software (with a couple
of small exceptions). If the third party says "this program is done,
has bugs which won't be fixed, etc" we should no longer support it.

>> If upstream says it's dead, who are we to keep it alive?
> We are a major Operating System project, which maintains ports of
> third-party applications for the convenience of our users. An
> EOL-declaration by the authors does not mean, the users must stop using it
> immediately -- it simply says, the authors will not be releasing
> updates/bug-fixes.

Correct. However (a) if the third party gave an upgrade path we should
encourage our users to use it and (b) if there *are* known bugs and
especially security holes we should cease to make it available through
our tree.

 If a user says "I found an issue with X and it is EOL upstream" the
correct response is to "upgrade to a supported version".

However this discussion is different to the one that we started with
(namely that of deprecated ports) so lets try and get back on track

Eitan Adler

More information about the freebsd-ports mailing list