Why do we not mark vulnerable ports DEPRECATED?
Mark Linimon
linimon at lonesome.com
Tue Aug 30 06:25:42 UTC 2011
On Mon, Aug 29, 2011 at 10:48:31PM -0700, Doug Barton wrote:
> Can someone explain why this would be a bad idea?
Very early in my committer career, I marked a port BROKEN that kde
depended on. I was quickly chastisted by people trying to install kde :-)
So, the right answer may be "it depends". For unmaintained leaf or
leaf-ish ports like you're talking about, I think the answer is exactly
correct -- such ports do nothing but cause users problems. But I think
it would be counterproductive to mark e.g. php5 and firefox as such
whenever a new vulnerability is found. It's just simply too common* an
occurrence.
A different but related topic: I don't think we've been sufficiently
rigorous about marking DEPRECATED or BROKEN ports with EXPIRATION_DATEs.
That could be a Junior Committer Task. (I know that Pav has swept some
out in the past.)
mcl
* never mind that some secteam members will grumble that they should be
marked as permanentlky insecure anyways
More information about the freebsd-ports
mailing list