Date: Fri, 23 Sep 2005 15:43:48 -0500 From: "Jeremy Messenger" <mezz7@cox.net> To: "Joe Marcus Clarke" <marcus@marcuscom.com> Cc: Greg Lewis <glewis@eyesbeyond.com>, gnome@freebsd.org Subject: Re: Update for JPI_LIST. Message-ID: <op.sxko7asz9aq2h7@mezz.mezzweb.com> In-Reply-To: <1127506988.98415.31.camel@shumai.marcuscom.com> References: <20050923170032.GA12227@misty.eyesbeyond.com> <op.sxkgebvd9aq2h7@mezz.mezzweb.com> <20050923181857.GA13250@misty.eyesbeyond.com> <op.sxkn56xz9aq2h7@mezz.mezzweb.com> <1127506988.98415.31.camel@shumai.marcuscom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 23 Sep 2005 15:23:08 -0500, Joe Marcus Clarke <marcus@marcuscom.com> wrote: > On Fri, 2005-09-23 at 15:21 -0500, Jeremy Messenger wrote: >> On Fri, 23 Sep 2005 13:18:57 -0500, Greg Lewis <glewis@eyesbeyond.com> >> wrote: >> >> > On Fri, Sep 23, 2005 at 12:33:37PM -0500, Jeremy Messenger wrote: >> >> On Fri, 23 Sep 2005 12:00:32 -0500, Greg Lewis >> <glewis@eyesbeyond.com> >> >> wrote: >> >> >All, >> >> > >> >> >Attached is a patch to update the JPI_LIST variable in the firefox, >> >> >mozilla and mozilla-devel ports. It removes the 1.3.1 plugins >> (these >> >> >have had security problems for some time), the 1.4.1 plugin (ditto >> >> >plus anyone using 1.4 almost certainly has 1.4.2) and >> >> >> >> Leave them alone are probably the best thing to do, since they exist >> in >> >> ports tree and if one of them have any security issue then Java port >> >> should be disable, not us. Also, it's up to the user's decision if >> they >> >> want to use old Java as they exist in ports tree. >> >> >> >> Well, if old Java will not work with Firefox at all then the remove >> is >> >> reasonable. >> > >> > The ports themselves have either been FORBIDDEN when the plugin is >> > requested (1.3.1) or completely superseded (1.4.1). The problem is >> > that if they installed the ports prior to the security alerts then >> > the browser will automatically create this link for them without >> > their knowledge and leave them vulnerable. I think we would do our >> > users a disservice by leaving them there. >> > >> > I can't comment as to whether the old plugins work with Firefox, >> > although I can give them a try tonight and find out. >> > >> >> >corrects the patch for the 1.5.0 plugin now that we have >> >> >functioning. >> >> > >> >> >Any objections? >> >> >> >> No object for 1.5.0 plugin fix, but let me merge your fix of 1.5.0 >> >> plugin >> >> with another fix that will do the bump PORTREVISION at the same >> time. I >> >> will commit it in the evening to see if your topic will get more >> >> feedback. >> > >> > If its more convenient to merge it in then by all means do that :). >> >> Okay, I think I will go with your full patch. Hey team, what do you >> think? >> jdk13 depends on gtk12 and is out of date, there is no 1.4.1 in ports >> tree. At last, it should be no big deal because there is no Java >> package. >> >> Honestly, I think leave them alone is harmless. > > Kill the old VMs! Committed, glewis, thanks for submitted the patch! Cheers, Mezz > Joe -- mezz7@cox.net - mezz@FreeBSD.org FreeBSD GNOME Team http://www.FreeBSD.org/gnome/ - gnome@FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?op.sxko7asz9aq2h7>