Why do we not mark vulnerable ports DEPRECATED?

Ade Lovett ade at FreeBSD.org
Tue Aug 30 06:28:20 UTC 2011

On Mon, 29 Aug 2011 22:48:31 -0700
Doug Barton <dougb at FreeBSD.org> wrote:

> I'm doing some updates and came across mail/postfix-policyd-spf which
> relies on mail/libspf2-10. The latter had a vuxml entry added on
> 2008-10-27. So my question is, why has mail/libspf2-10 been allowed to
> remain in the tree vulnerable for almost 3 years?

That's a little excessive, I agree.

> Wouldn't it make more sense to mark vulnerable ports DEPRECATED
> immediately with a short expiration? When they get fixed they get
> un-deprecated. If they don't, they get removed. Can someone explain
> why this would be a bad idea?

Probably excessive on the other side, at least as far as the
auto-deletion is concerned.  We've had cases where libraries with a
non-trivial number of upward dependencies have had issues - libpng
springs to mind for some reason.  Of course, things were fixed
relatively promptly in that particular case so it's a little bit of a
non-sequitor -- perhaps I'm focusing too much on "they get removed"
being an automated process, which I think it would have need to be in
order to be effective.


> Doug

More information about the freebsd-ports mailing list