On Tue, 1 Aug 2017, Anthony J. Bentley wrote: > Donovan Watteau writes: > > As for Gnuboy: is it dead, or is it done? There are other "old > > alternatives" in the ports tree (for example in editors), and we're > > keeping them, as long as there's someone taking care of them (unless > > the code is too broken or too dangerous). Gambatte is more modern, > > but it looks mostly unmaintained for the past 3 years, so I don't > > know if the difference with Gnuboy is that big. > > Gnuboy has been completely unmaintained for over 15 years. That's a > significant difference. > > > "avoid adding old stuff to the ports > > tree if there's a good alternative that's maintained" > > I agree with that sentiment. The trouble with providing packages is > that if they exist, people use them. Auditing the entire ports tree is > obviously impossible, but we should put at least occasional effort into > pruning very old ports and refrain from adding old software that is > likely to be a problem. > > Emulators in particular are prone to security issues. They frequently > allocate buffers, *constantly* deal with untrusted input, and execute > code by nature. Holes are common: > > https://mgba.io/2016/09/13/fuzzing-emulators/ > https://scarybeastsecurity.blogspot.com/2016/11/0day-exploit-compromising-linux-desktop.html > https://www.youtube.com/watch?v=Q3SOYneC7mU > > Thanks for porting, but this particular port I would rather not have > in tree.
You've made a really good point. It's all OK for me, don't add it. Thanks.
