svn commit: r487286 - head/security/vuxml

[Mathieu Arnold]

On Wed, Dec 12, 2018 at 10:57:12AM +0000, Matthew Seaman wrote:
> On 12/12/2018 10:30, Mathieu Arnold wrote:
> > On Wed, Dec 12, 2018 at 10:26:29AM +0000, Matthew Seaman wrote:
> > > On 12/12/2018 09:57, Mathieu Arnold wrote:
> > > > On Wed, Dec 12, 2018 at 09:16:04AM +0000, Matthew Seaman wrote:
> > > > > Author: matthew
> > > > > Date: Wed Dec 12 09:16:04 2018
> > > > > New Revision: 487286
> > > > > URL: https://svnweb.freebsd.org/changeset/ports/487286
> > > > > 
> > > > > Log:
> > > > >    PHP 70 was EoL'd and is no longer in the ports.
> > > > >    Reported by:	joneum
> > > > 
> > > > No longer in trunk, still in the quarterly, please put it back.
> > > > 
> > > 
> > > It's been put back now.
> > 
> > As a side note, the descriptions in vuxml are not about what currently
> > exists, it is about what once existed, so technically, even in two
> > years, when recording a flavored php app, one should still mention all
> > the previous package names, so that people with old ports tree who have
> > not been updated in a while still get a notification that this app is
> > vulnerable to something.
> 
> How far back should we take this?
> 
> Is there any limit on how old a ports tree and the packages installed from
> it can be and still be expected to be supported by VuXML?  Other than the
> practical limitation of 'pkg audit' or some equivalent being available?

There is technically no limit on how far back this should go,
people often only upgrade when really required to.
But to stay practical, trying to keep a few months of old package names,
so that anything in at least the current quarterly still matches.


-- 
Mathieu Arnold
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/svn-ports-all/attachments/20181212/7b73b655/attachment.sig>