From nobody Sat Mar 16 10:03:44 2024 X-Original-To: ports@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TxcC905H2z5Cyvn for ; Sat, 16 Mar 2024 10:03:49 +0000 (UTC) (envelope-from daniel.engberg.lists@pyret.net) Received: from smtp-8fac.mail.infomaniak.ch (smtp-8fac.mail.infomaniak.ch [83.166.143.172]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "relay.mail.infomaniak.ch", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TxcC71W5Fz4mC9 for ; Sat, 16 Mar 2024 10:03:47 +0000 (UTC) (envelope-from daniel.engberg.lists@pyret.net) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=pyret.net header.s=20231006 header.b=Hq6PF3CK; dmarc=pass (policy=reject) header.from=pyret.net; spf=pass (mx1.freebsd.org: domain of daniel.engberg.lists@pyret.net designates 83.166.143.172 as permitted sender) smtp.mailfrom=daniel.engberg.lists@pyret.net Received: from smtp-3-0000.mail.infomaniak.ch (unknown [10.4.36.107]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4TxcC43Z8jzMq2jh; Sat, 16 Mar 2024 11:03:44 +0100 (CET) Received: from unknown by smtp-3-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4TxcC411Lcz3h; Sat, 16 Mar 2024 11:03:44 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=pyret.net; s=20231006; t=1710583424; bh=7ZeUOSAjmJlt9g83pw2q1FZVUykBGjkFWeIq0erKH90=; h=Date:Subject:From:Reply-To:To:Cc:References:In-Reply-To:From; b=Hq6PF3CKdHGEUpkXrVTWWdfxc987ZPVWsPWTeF0Zq6eWYnfTJDQX9+rl/mMjl2D/t EQKMxX5TToIK50+Zv3iFryB6Ed0I83fF8liUDRLS5xF816IjUvftiwBap2Ah93MTI+ JGyqFkk/SOrhYS39Ib5LMFHk7bqZ3euyPbwAPDtusY+TP51Q4qMB4QvN73B+R7Dn4n 35gql0UAzPS9wwhpcqT2gIqwSS0LV6OtNWXqTB14sp47RFDenxQJj7TlXP464nF1Q5 v5bBOyrtCREYPxYstlNMZ7/4bwsBwWfjO+fOq4QH+HG9CzIe4KOh3apAExaj65xsmj KD31uSZ7vOPgA== Message-ID: <49c4e69ffb5cec7b71d4b8e01f628ae7@mail.infomaniak.com> Date: Sat, 16 Mar 2024 11:03:44 +0100 Subject: Re: Proposed ports deprecation and removal policy From: Daniel Engberg Reply-To: Daniel Engberg To: Eugene Grosbein Cc: Florian Smeets , ports@freebsd.org List-Id: Porting software to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-ports List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-ports@freebsd.org X-BeenThere: freebsd-ports@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-WS-User-Origin: eyJpdiI6IkdXMW50anhvbjFBWm1WRjBvNXJYUkE9PSIsInZhbHVlIjoiZTNjQjVFN1RSNlNUU0N4aDZjUUhYZz09IiwibWFjIjoiODQ1NGQwZjU5NTk2M2VlMWQyYWQwZDM0MmY3MzE3YzI0Y2RhYzQzOTkyN2NlMTFmZTU4MDYyMDhiOGFiMjU3NiIsInRhZyI6IiJ9 X-WS-User-Mbox: eyJpdiI6IlR5ZmxNV2I5WXZIdHFIMGJaM29sMUE9PSIsInZhbHVlIjoibDR6VFR1UUw5WWtqdnFBYmp4WUlpdz09IiwibWFjIjoiNTI2NmYwZWYwMTBjNDRhYTRkODNlMzM4NTYzZDhmNGU4Zjk1MjExOWU1ODM3MjFhYzBkMDkwZjM3ZTI3NjZhYiIsInRhZyI6IiJ9 X-WS-Location: eJxzKUpMKykGAAfpAmU- X-Mailer: Infomaniak Workspace (1.3.655) References: <435edf7c-a956-4317-b327-3372de70dbef@FreeBSD.org> <1c5b7818-842f-f7b8-9d4e-5bf681cad20e@grosbein.net> <64c7435c-2d69-1f62-ba7c-30812860a457@grosbein.net> <9646fd5d0666c8e57795ea1b370b6af1@mail.infomaniak.com> <7a7501f71442d27f6d8c1c0a16f247c1@mail.infomaniak.com> <8212dd5a-bcc2-e214-0373-6dbfddef65c2@grosbein.net> In-Reply-To: <8212dd5a-bcc2-e214-0373-6dbfddef65c2@grosbein.net> X-Infomaniak-Routing: alpha X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.30 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.997]; DMARC_POLICY_ALLOW(-0.50)[pyret.net,reject]; R_SPF_ALLOW(-0.20)[+ip4:83.166.143.168/29]; RWL_MAILSPIKE_VERYGOOD(-0.20)[83.166.143.172:from]; R_DKIM_ALLOW(-0.20)[pyret.net:s=20231006]; RCVD_IN_DNSWL_LOW(-0.10)[83.166.143.172:from]; MIME_GOOD(-0.10)[text/plain]; TO_DN_SOME(0.00)[]; ARC_NA(0.00)[]; ASN(0.00)[asn:29222, ipnet:83.166.128.0/19, country:CH]; RCVD_VIA_SMTP_AUTH(0.00)[]; MIME_TRACE(0.00)[0:+]; REPLYTO_EQ_FROM(0.00)[]; MLMMJ_DEST(0.00)[ports@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[pyret.net:+]; HAS_REPLYTO(0.00)[daniel.engberg.lists@pyret.net] X-Rspamd-Queue-Id: 4TxcC71W5Fz4mC9 On 2024-03-15T08:25:10.000+01:00, Eugene Grosbein wrot= e: > 15.03.2024 3:37, Daniel Engberg wrote: >=20 > > On 2024-03-12T15:15:49.000+01:00, Eugene Grosbein wrote: > >=20 > > > 12.03.2024 3:24, Daniel Engberg =D0=BF=D0=B8=D1=88=D0=B5=D1=82: > > >=20 > > > [skip] > > >=20 > > >=20 > > >=20 > > > > Another possible option would be to add something to the port= 's matedata that makes pkg aware and easy notiable > > > > like using a specific color for portname and related information = to signal > > > > like if it's red it means abandonware and potentially reduced sec= urity. > > > =20 > > > Of course, we need to inform users but not enforce. Tools, not polic= y. > > >=20 > > Eugene > > =20 > > Hi, > > =20 > > Given that we seem to agree on these points in general why should such= ports still be kept in the tree? > =20 > A port should be kept in the tree until it works and has no known securit= y problems, not imaginable. >=20 >=20 > > We don't have such tooling available and it wont likely happen anyti= me soon. > > Because it's convenient for a committer who uses these in a controlled= network despite being potentially harmful for others? > =20 > "Potentially harmful" is not valid reason to remove a port. Look at vulne= rability history of any modern web browser. > We know they are full of security holes. All of them. And will be despite= of being supported by developers, it does not matter in fact. > Old software is often much more simple and secure despite of lack of supp= ort. >=20 > Do not remove ports just due to theorizing. >=20 Eugene A key difference is though that browsers such as Firefox or Chromium are ma= intained upstream including reporting etc. That's a very different matter c= ompared to using even a deprecated version upstream of lets say Apache (1.3= .x for example). I agree it's a difficult topic and I think for the sake us= er expenience/friendliness (if we are to take that into accout) apart from = the rest of potential issues most will not scour the internet to determine = this. Best regards, Daniel