Date: Wed, 9 Apr 2014 09:59:36 +0200 From: Baptiste Daroussin <bapt@FreeBSD.org> To: Alexey Dokuchaev <danfe@FreeBSD.org> Cc: Christian Weisgerber <naddy@FreeBSD.org>, svn-ports-head@freebsd.org, svn-ports-all@freebsd.org, ports-committers@freebsd.org Subject: Re: svn commit: r350627 - in head/multimedia/xmms: . files Message-ID: <20140409075935.GP97416@ivaldir.etoilebsd.net> In-Reply-To: <20140409073738.GA27075@FreeBSD.org> References: <201404081535.s38FZIwG078361@svn.freebsd.org> <20140409073738.GA27075@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--2uzDqHpccQJpqF2n Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Apr 09, 2014 at 07:37:38AM +0000, Alexey Dokuchaev wrote: > On Tue, Apr 08, 2014 at 03:35:18PM +0000, Christian Weisgerber wrote: > > New Revision: 350627 > > URL: http://svnweb.freebsd.org/changeset/ports/350627 > > QAT: https://qat.redports.org/buildarchive/r350627/ > >=20 > > @@ -16,13 +16,10 @@ COMMENT?=3D X Multimedia System -- An audi > > LICENSE=3D GPLv2 > > =20 > > DEPRECATED=3D Abandonware, please consider using multimedia/audacious = instead > > -FORBIDDEN=3D Vulnerable: CVE-2007-0653 CVE-2007-0654 > > -EXPIRATION_DATE=3D 2014-05-01 >=20 > Thanks Christian for keeping XMMS alive. This is also a nice example of > the fact that DEPRECATED port doesn't necessarily have to go away. It's > just, hmm, deprecated -- that is, for people who know what they're doing. >=20 > ./danfe >=20 xmms is a very good example of why keeping without real maintainership port= s (I am not speaking of having a maintainer assigned) is a bad thing, xmms is not maintained it tends to work (perhaps who really use it in 2014?) it took me around 5s to find a vulnerability at the time but as noone is re= ally maintaining this port noone has figured it out for more than 2 years, and n= ow see how long it took for someone to be interested in fixing it. Sorry but I do prefer quality over quantity. I really feel like it is not serious at all to officially provides packages for that sake that they do b= uild. Problem with those ports is the following: - They are not really maintained by anyone, so they might have long standing security issues noone cares about. - Who really knows if the port is really working? - It is based one very ancient libraries gtk12 and friends which suffers the same non maintainance status (I'm pretty sure if I go through the depende= ncy tree I can find at least 1 or 2 very old security issues noone has cared = about over the years.) - It is clobberring the ports tree, while you are working on modernizing the ports tree there is lots and lots of pending work to allow for example packaging as a user, really cross building the ports tree, building with modern compilers, all those ports are giving us major pain, and there is = noone to help to clean them up. FYI I cannot count how many time I have spend (wasted) on abandonned ports = to be able to have bring cross building, packaging as a user etc We still have 5k packages not staged which are blockers for cross building = for examples or sub packages regards, Bapt --2uzDqHpccQJpqF2n Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlNE/ecACgkQ8kTtMUmk6ExVJACfQXT6OE2yQbulp19f9I84DxK2 xRsAnAlSHitrxSPV+ZKNVw8pwwlh3uJK =ACed -----END PGP SIGNATURE----- --2uzDqHpccQJpqF2n--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140409075935.GP97416>