From nobody Mon Mar 11 20:24:34 2024 X-Original-To: ports@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TtpCv5vsHz5Df2b for ; Mon, 11 Mar 2024 20:24:43 +0000 (UTC) (envelope-from daniel.engberg.lists@pyret.net) Received: from smtp-1909.mail.infomaniak.ch (smtp-1909.mail.infomaniak.ch [IPv6:2001:1600:7:10::1909]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "relay.mail.infomaniak.ch", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TtpCv39KJz55F7 for ; Mon, 11 Mar 2024 20:24:43 +0000 (UTC) (envelope-from daniel.engberg.lists@pyret.net) Authentication-Results: mx1.freebsd.org; none Received: from smtp-4-0001.mail.infomaniak.ch (smtp-4-0001.mail.infomaniak.ch [10.7.10.108]) by smtp-4-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4TtpCl0KXmzX8w; Mon, 11 Mar 2024 21:24:35 +0100 (CET) Received: from unknown by smtp-4-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4TtpCk4zz4zbtr; Mon, 11 Mar 2024 21:24:34 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=pyret.net; s=20231006; t=1710188674; bh=r+UwUXsDo+Z2xdWRhmZjQMKzh6s1bP4xU40Qq8gk6lU=; h=Date:Subject:From:Reply-To:To:Cc:References:In-Reply-To:From; b=ODelnVT1jFEmEjjr4l2GKhCL/iB110VlIi7MMSDrFarUFSwA4S2c9leJ2fHCuAEXp 8juQrhbozOHE76F0sn3omKhWej+38+GjWYNQSzVKRK5wfZA+t7kJ4D4DH96TSnjOm3 csq+2Sh5RcbhhDh4s0MosUexyfV4gcvJAN+e8vpkqNhKm1uHqbU4rXoRC8+K32pebe x/3R5Pnw66kTGVaJbctntj0H6zG49Xcpgev+rL23mlQfm5KfPdWWWZDwjIWSvP96Y6 NVIyFR7boLgIRJIO+AFnC1+RXRBuG9qaTSjdKoFnrkytlii4eHC/cwgQEPaMt5+UIL cdzX4ZJrgwH7A== Message-ID: <9646fd5d0666c8e57795ea1b370b6af1@mail.infomaniak.com> Date: Mon, 11 Mar 2024 21:24:34 +0100 Subject: Re: Proposed ports deprecation and removal policy From: Daniel Engberg Reply-To: Daniel Engberg To: Eugene Grosbein Cc: Florian Smeets , ports@freebsd.org List-Id: Porting software to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-ports List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-ports@freebsd.org X-BeenThere: freebsd-ports@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-WS-User-Origin: eyJpdiI6IlpNb2tRbVhPeTUxT0JCQmJlNnJlbnc9PSIsInZhbHVlIjoiQ21mdnNOT0Y2U2dQRnV1anRZbmp4QT09IiwibWFjIjoiMGRlOWZlMmNmZWNjOTRhZTUzNTQ0NTJiOGNkYjk2NWEyZWFlMjQwMDM5YmMxNTg1M2Y5OGVkMmE4NjZhN2E4ZiIsInRhZyI6IiJ9 X-WS-User-Mbox: eyJpdiI6InM0TWdDOTQxbzdpclNaSWxpQ0FJbmc9PSIsInZhbHVlIjoiR1Vab29LaDBDT1hEUEpwOFpaWnZnUT09IiwibWFjIjoiN2U4NTM3ZGQ3ZDgzN2E3NTE5MzdmNTVlOTg0MjZhMWRiY2IzODI1MmIxNjMyYjI4MTMxNDQyZjcwMDljZjI2ZiIsInRhZyI6IiJ9 X-WS-Location: eJxzKUpMKykGAAfpAmU- X-Mailer: Infomaniak Workspace (1.3.652) References: <435edf7c-a956-4317-b327-3372de70dbef@FreeBSD.org> <1c5b7818-842f-f7b8-9d4e-5bf681cad20e@grosbein.net> <64c7435c-2d69-1f62-ba7c-30812860a457@grosbein.net> In-Reply-To: <64c7435c-2d69-1f62-ba7c-30812860a457@grosbein.net> X-Infomaniak-Routing: alpha X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:29222, ipnet:2001:1600::/32, country:CH] X-Rspamd-Queue-Id: 4TtpCv39KJz55F7 On 2024-03-11T18:22:57.000+01:00, Eugene Grosbein wrot= e: > 11.03.2024 4:49, Daniel Engberg wrote: >=20 >=20 > > =20 > > > =20 > > > > Ports can be removed immediately if one of the following condit= ions is met: > > > > =20 > > > > - Upstream distfile is no longer available from the original sour= ce/mirror > > > > (Our and other distcaches e.g. Debian, Gentoo, etc do not count a= s "available") > > > > - Upstream WWW is unavailable: deprecate, remove after 3 months > > > [skip] > > >=20 > > > > A port can be deprecated and subsequently removed if: > > > > - Upstream declared the version EOL or officially stopped develop= ment. > > > > DEPRECATED should be set as soon as the planned removal date is k= now. > > > =20 > > > Objection to quoted reasons. A software not developed anymore but st= ill works fine > > > after years is best software ever. Do not touch it, please. > > >=20 > > > Some examples: > > >=20 > > > mail/qpopper abadoned by Qualcomm years ago > > > russian/d1489 created by ache@ who passed away years ago > > > net/quagga abadonware but still best OSPF implementation for FreeB= SD kernel > > > net-im/pidgin-manualsize abadoned by initial author years ago > > > databases/oracle8-client the only known library to link native FreeB= SD code with for OracleDB connection > > >=20 > > > Do not "fix" what ain't broken. > > >=20 > > Eugene > > =20 > > I'm going to assume that there will be a PR or something regarding mai= ntained ports either way. > =20 > I maintain most of listed ports. >=20 >=20 > > As far as the "Do not "fix" what ain't broken" argument goes one maj= or concern is how do you know=20 > > especially regarding to Internet facing services? > =20 > Not every port deals with public Internet and services therein. >=20 >=20 > > Qpopper (for example) has been dropped by pretty much every distro > > https://repology.org/project/qpopper/versions and upstream is dead so = there's no hub for communication. > =20 > And not need to, practice shows. >=20 >=20 > > There likely aren't many eyes on the software by now (I guess for bo= th good and bad reasons) > > but it might also very well bite you or users in the end. > =20 > Until then, it works and let it be. >=20 >=20 > > That being said, all software contains bugs > =20 > True. The question is, do any of bugs affect particular setup? If not, le= t it be. >=20 >=20 > > including active projects so it's not like it's a clean cut in terms= of security concerns (wordpress) > > but you'll likely see issues being adressed and reported when software= is more widely available. > > If upstream is dead it's very likely that security reports ends up in = some package repo, > > random hosted fork or such and never finds it way outside of it. > =20 > There are private networks not exposed to untrusted users or hosts not af= fected by any security concerns, > including one-user-only. No need to break their setups. >=20 >=20 > > Quagga is in a similar position, pfsense seems to point users to frr= and there's also other software such as bird/bird2. > =20 > frr development is Linux-centric and its OSPF implementation has some pro= blems under FreeBSD ignored by developers, > it cannot be a replacement (can't tell for bird/bird2). Quagga ospfd/bgpd= work fine, let it be. >=20 >=20 > > According to https://www.orafaq.com/wiki/Oracle_8 Oracle 8 support e= nded 20 years ago, > > it's also marked as i386 only so its days are counted. > =20 > This is userland library and we have no plans to eliminate userland i386 = support yet. > No alternatives, also. >=20 >=20 > > Nothing is stopping people to use an overlay but not everything need= s to be in or rather stay the "public" repo forever. > =20 > Not forever. While it works fine. >=20 Eugene Since your average user is connected to the Internet to utilize ports and/o= r packages I think a sound assumption would be that Internet is going to be= an attack vector. While we can't safeguard for every possible scenario we = do have the ability however to "protect" users to some extent. VuXML (CVE r= eporting, upstream etc) and ports security team exists for this very reason= , if upstream reporting facilities aren't available then there's a higher r= isk of security reports and patches slipping by. This is one of the reasons= why many repositories remove abandonware, outdated versions etc. Not sayin= g it's valid argument but given our efforts try to keep users safe in gener= al that approach seems reasonable? Taking it to the extreme I'm not sure pu= tting a banner saying something like "X probably works fine on a private ne= twork with trusted hosts" is going to send a positive and reassuring messag= e or tell people when shit hits the fan "It's abandonware, you're on your o= wn and you should've known better" . Another possible option would be to add something to the port's matedata th= at makes pkg aware and easy notiable like using a specific color for portna= me and related information to signal like if it's red it means abandonware = and potentially reduced security. Best regards, Daniel