Date: Fri, 23 Sep 2005 15:21:32 -0500 From: "Jeremy Messenger" <mezz7@cox.net> To: "Greg Lewis" <glewis@eyesbeyond.com> Cc: gnome@freebsd.org Subject: Re: Update for JPI_LIST. Message-ID: <op.sxkn56xz9aq2h7@mezz.mezzweb.com> In-Reply-To: <20050923181857.GA13250@misty.eyesbeyond.com> References: <20050923170032.GA12227@misty.eyesbeyond.com> <op.sxkgebvd9aq2h7@mezz.mezzweb.com> <20050923181857.GA13250@misty.eyesbeyond.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 23 Sep 2005 13:18:57 -0500, Greg Lewis <glewis@eyesbeyond.com> wrote: > On Fri, Sep 23, 2005 at 12:33:37PM -0500, Jeremy Messenger wrote: >> On Fri, 23 Sep 2005 12:00:32 -0500, Greg Lewis <glewis@eyesbeyond.com> >> wrote: >> >All, >> > >> >Attached is a patch to update the JPI_LIST variable in the firefox, >> >mozilla and mozilla-devel ports. It removes the 1.3.1 plugins (these >> >have had security problems for some time), the 1.4.1 plugin (ditto >> >plus anyone using 1.4 almost certainly has 1.4.2) and >> >> Leave them alone are probably the best thing to do, since they exist in >> ports tree and if one of them have any security issue then Java port >> should be disable, not us. Also, it's up to the user's decision if they >> want to use old Java as they exist in ports tree. >> >> Well, if old Java will not work with Firefox at all then the remove is >> reasonable. > > The ports themselves have either been FORBIDDEN when the plugin is > requested (1.3.1) or completely superseded (1.4.1). The problem is > that if they installed the ports prior to the security alerts then > the browser will automatically create this link for them without > their knowledge and leave them vulnerable. I think we would do our > users a disservice by leaving them there. > > I can't comment as to whether the old plugins work with Firefox, > although I can give them a try tonight and find out. > >> >corrects the patch for the 1.5.0 plugin now that we have >> >functioning. >> > >> >Any objections? >> >> No object for 1.5.0 plugin fix, but let me merge your fix of 1.5.0 >> plugin >> with another fix that will do the bump PORTREVISION at the same time. I >> will commit it in the evening to see if your topic will get more >> feedback. > > If its more convenient to merge it in then by all means do that :). Okay, I think I will go with your full patch. Hey team, what do you think? jdk13 depends on gtk12 and is out of date, there is no 1.4.1 in ports tree. At last, it should be no big deal because there is no Java package. Honestly, I think leave them alone is harmless. Cheers, Mezz -- mezz7@cox.net - mezz@FreeBSD.org FreeBSD GNOME Team http://www.FreeBSD.org/gnome/ - gnome@FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?op.sxkn56xz9aq2h7>