Why do we not mark vulnerable ports DEPRECATED?

Fabian Keil freebsd-listen at fabiankeil.de
Tue Aug 30 09:35:59 UTC 2011

Doug Barton <dougb at FreeBSD.org> wrote:

> I'm doing some updates and came across mail/postfix-policyd-spf which
> relies on mail/libspf2-10. The latter had a vuxml entry added on
> 2008-10-27. So my question is, why has mail/libspf2-10 been allowed to
> remain in the tree vulnerable for almost 3 years?
> Wouldn't it make more sense to mark vulnerable ports DEPRECATED
> immediately with a short expiration? When they get fixed they get
> un-deprecated. If they don't, they get removed. Can someone explain why
> this would be a bad idea?

Many vulnerabilities are only an issue for certain program
configurations, for example most Firefox vulnerabilities
seem to require JavaScript being enabled for a site or
connection controlled by the attacker.

I haven't checked what the problems with mail/libspf2-10 are
(or were), but I don't think all vulnerabilities should be
treated the same.

In my opinion having a vuxml entry is sufficient, the rest
is up to the user.

I agree with Xin Li's suggestion that it may make sense
to import portaudit to make sure the user is actually aware
of the entry, though.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20110830/fbf65fe5/signature.pgp

More information about the freebsd-ports mailing list