Why do we not mark vulnerable ports DEPRECATED?

Mark Linimon linimon at lonesome.com
Tue Aug 30 06:25:42 UTC 2011

On Mon, Aug 29, 2011 at 10:48:31PM -0700, Doug Barton wrote:
> Can someone explain why this would be a bad idea?

Very early in my committer career, I marked a port BROKEN that kde
depended on.  I was quickly chastisted by people trying to install kde :-)

So, the right answer may be "it depends".  For unmaintained leaf or
leaf-ish ports like you're talking about, I think the answer is exactly
correct -- such ports do nothing but cause users problems.  But I think
it would be counterproductive to mark e.g. php5 and firefox as such
whenever a new vulnerability is found.  It's just simply too common* an

A different but related topic: I don't think we've been sufficiently
rigorous about marking DEPRECATED or BROKEN ports with EXPIRATION_DATEs.
That could be a Junior Committer Task.  (I know that Pav has swept some
out in the past.)


* never mind that some secteam members will grumble that they should be
marked as permanentlky insecure anyways

More information about the freebsd-ports mailing list