Why do we not mark vulnerable ports DEPRECATED?

Chad Perrin code at apotheon.net
Tue Aug 30 15:47:47 UTC 2011

On Mon, Aug 29, 2011 at 10:48:31PM -0700, Doug Barton wrote:
> I'm doing some updates and came across mail/postfix-policyd-spf which
> relies on mail/libspf2-10. The latter had a vuxml entry added on
> 2008-10-27. So my question is, why has mail/libspf2-10 been allowed to
> remain in the tree vulnerable for almost 3 years?
> Wouldn't it make more sense to mark vulnerable ports DEPRECATED
> immediately with a short expiration? When they get fixed they get
> un-deprecated. If they don't, they get removed. Can someone explain why
> this would be a bad idea?

Might that not interfere with the process of getting a new maintainer for
a popular port when its previous maintainer has been lax (or hit by a

Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20110830/d8a89317/attachment.pgp

More information about the freebsd-ports mailing list