Doug Barton <do...@freebsd.org> wrote: > I'm doing some updates and came across mail/postfix-policyd-spf which > relies on mail/libspf2-10. The latter had a vuxml entry added on > 2008-10-27. So my question is, why has mail/libspf2-10 been allowed to > remain in the tree vulnerable for almost 3 years? > > Wouldn't it make more sense to mark vulnerable ports DEPRECATED > immediately with a short expiration? When they get fixed they get > un-deprecated. If they don't, they get removed. Can someone explain why > this would be a bad idea?
Many vulnerabilities are only an issue for certain program configurations, for example most Firefox vulnerabilities seem to require JavaScript being enabled for a site or connection controlled by the attacker. I haven't checked what the problems with mail/libspf2-10 are (or were), but I don't think all vulnerabilities should be treated the same. In my opinion having a vuxml entry is sufficient, the rest is up to the user. I agree with Xin Li's suggestion that it may make sense to import portaudit to make sure the user is actually aware of the entry, though. Fabian
signature.asc
Description: PGP signature
