Why do we not mark vulnerable ports DEPRECATED?
Fabian Keil
freebsd-listen at fabiankeil.de
Tue Aug 30 09:35:59 UTC 2011
Doug Barton <dougb at FreeBSD.org> wrote:
> I'm doing some updates and came across mail/postfix-policyd-spf which
> relies on mail/libspf2-10. The latter had a vuxml entry added on
> 2008-10-27. So my question is, why has mail/libspf2-10 been allowed to
> remain in the tree vulnerable for almost 3 years?
>
> Wouldn't it make more sense to mark vulnerable ports DEPRECATED
> immediately with a short expiration? When they get fixed they get
> un-deprecated. If they don't, they get removed. Can someone explain why
> this would be a bad idea?
Many vulnerabilities are only an issue for certain program
configurations, for example most Firefox vulnerabilities
seem to require JavaScript being enabled for a site or
connection controlled by the attacker.
I haven't checked what the problems with mail/libspf2-10 are
(or were), but I don't think all vulnerabilities should be
treated the same.
In my opinion having a vuxml entry is sufficient, the rest
is up to the user.
I agree with Xin Li's suggestion that it may make sense
to import portaudit to make sure the user is actually aware
of the entry, though.
Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20110830/fbf65fe5/signature.pgp
More information about the freebsd-ports
mailing list