sysutils/cfs
Erik Trulsson
ertr1013 at student.uu.se
Wed Sep 7 12:07:31 UTC 2011
On Wed, Sep 07, 2011 at 09:37:07PM +1000, Peter Jeremy wrote:
> On 2011-Sep-06 23:30:04 -0700, Stanislav Sedov <stas at FreeBSD.org> wrote:
> >What about requiring that the ports deprecated should be either broken
> >or have known published vulnerabilties for a long period of
> >time (say 6 months) for the start?
>
> This might be reasonable for broken ports but ports with known
> vulnerabilities should either be fixed or removed promptly.
That depends somewhat on the exact nature of the vulnerability.
Depending on how the port is used a given vulnerability might not
be a problem. (E.g. if a port has a vulnerability which allows a local
user to become root, then it is a problem for multi-user systems with
untrusted users, but for a system which only has a single user or only
trusted users it would not be a significant problem.)
If a port can be used safely despite existing vulnerabilities it is not
at all clear it need to be removed quickly even if it is not fixed.
(Marking it FORBIDDEN so potential users are warned about known
problems is another thing.)
--
<Insert your favourite quote here.>
Erik Trulsson
ertr1013 at student.uu.se
More information about the freebsd-ports
mailing list