From owner-freebsd-ports@FreeBSD.ORG Tue Aug 30 09:35:59 2011 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2D9B91065676 for ; Tue, 30 Aug 2011 09:35:59 +0000 (UTC) (envelope-from freebsd-listen@fabiankeil.de) Received: from smtprelay01.ispgateway.de (smtprelay01.ispgateway.de [80.67.31.28]) by mx1.freebsd.org (Postfix) with ESMTP id E14F98FC12 for ; Tue, 30 Aug 2011 09:35:58 +0000 (UTC) Received: from [78.34.129.95] (helo=fabiankeil.de) by smtprelay01.ispgateway.de with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.68) (envelope-from ) id 1QyKZt-0004OL-Lj for freebsd-ports@freebsd.org; Tue, 30 Aug 2011 11:25:53 +0200 Date: Tue, 30 Aug 2011 11:25:48 +0200 From: Fabian Keil To: freebsd-ports@freebsd.org Message-ID: <20110830112548.073ce249@fabiankeil.de> In-Reply-To: <4E5C79AF.6000408@FreeBSD.org> References: <4E5C79AF.6000408@FreeBSD.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA1; boundary="Sig_/CQSSQ+Wl_7FiXH9rtAf/4re"; protocol="application/pgp-signature" X-Df-Sender: 775067 Subject: Re: Why do we not mark vulnerable ports DEPRECATED? X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Aug 2011 09:35:59 -0000 --Sig_/CQSSQ+Wl_7FiXH9rtAf/4re Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Doug Barton wrote: > I'm doing some updates and came across mail/postfix-policyd-spf which > relies on mail/libspf2-10. The latter had a vuxml entry added on > 2008-10-27. So my question is, why has mail/libspf2-10 been allowed to > remain in the tree vulnerable for almost 3 years? >=20 > Wouldn't it make more sense to mark vulnerable ports DEPRECATED > immediately with a short expiration? When they get fixed they get > un-deprecated. If they don't, they get removed. Can someone explain why > this would be a bad idea? Many vulnerabilities are only an issue for certain program configurations, for example most Firefox vulnerabilities seem to require JavaScript being enabled for a site or connection controlled by the attacker. I haven't checked what the problems with mail/libspf2-10 are (or were), but I don't think all vulnerabilities should be treated the same. In my opinion having a vuxml entry is sufficient, the rest is up to the user. I agree with Xin Li's suggestion that it may make sense to import portaudit to make sure the user is actually aware of the entry, though. Fabian --Sig_/CQSSQ+Wl_7FiXH9rtAf/4re Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk5crKMACgkQBYqIVf93VJ0MxwCfVGPLvX6UlrIV0IGbLDw4goiA OHIAoJIV3+8fr7M38a8qwN7yHOxl4+Do =hvDs -----END PGP SIGNATURE----- --Sig_/CQSSQ+Wl_7FiXH9rtAf/4re--