Date: Wed, 07 Sep 2011 00:07:03 -0700 From: perryh@pluto.rain.com To: dougb@freebsd.org Cc: ports@freebsd.org, jhs@berklix.com, utisoft@gmail.com Subject: Re: sysutils/cfs Message-ID: <4e671817.ddHMkPbq9dJ7tLMz%perryh@pluto.rain.com> In-Reply-To: <4E6581E2.1060502@FreeBSD.org> References: <201109050933.p859XEbP004874@fire.js.berklix.net> <4E64C35A.50004@FreeBSD.org> <4e65b42e.M5K%2Bto11vAdk/UTk%perryh@pluto.rain.com> <4E6581E2.1060502@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Doug Barton <dougb@freebsd.org> wrote: > >>>>> Better to deprecate such non urgent ports, & wait a while > >>>>> after next release is rolled, to give release users a warning > >>>>> & some time to volunteer ... > >> > >> That's an interesting idea, but incredibly unlikely to happen. > > > > It _certainly_ won't happen if those in charge refuse to try it! > > My point was that the idea is impractical. I was trying to be polite. How is it impractical to, as a rule, set an expiration date based on an anticipated future release date rather than only a month or two out from when the decision is made? (Note that this is in no way exclusive with setting FORBIDDEN, and/or making an entry in the portaudit database, immediately upon discovering a vulnerability.) > > My *guess* is that "the largest percentage of our users" are what > > Julian calls "release users" -- those who install a release and > > corresponding ports, and don't touch it subsequently until they > > become aware of a problem. They _may_ follow the security branch > > for their base release, but that won't make them aware of issues > > that have turned up in ports. > > For security issues we have portaudit to handle this. Provided it is installed and activated. Perhaps it should be made into a part of the ports infrastructure, or even moved into the base, so as to be present on any machine having packages installed?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4e671817.ddHMkPbq9dJ7tLMz%perryh>