Control: severity -1 normal So long as we ship CVS in general and there are earnest CVS deployments in the wild (for better or for worse), I don't see a compelling reason for CVS being a carte blanche de mal.
The statement at https://cgit.freebsd.org/doc/commit/?id=65402a3cc2b34ee34ddb598266b5cc30ef03d41b reads like a generic "we don't maintain this anymore" liability disclaimer for those hypothetical "unpatched security issues". To this end, both OpenBSD and openwall have CVSWeb sites: https://cvsweb.openbsd.org/ https://cvsweb.openwall.com/ are these insecure? Very unlikely. The openwall one points at FreeBSD but the OpenBSD one doesn't; accd'g to https://openports.pl/path/devel/cvsweb, it's using the https://cvsweb.bsd.lv/ upstream which explicitly adopts it: > CVSweb was originally developed by members of the FreeBSD project > and is currently maintained by on BSD.lv. and the 3.x branch we ship hasn't received a new release (but the 2.x branch did get a release with fixes, so if 3.x needed one it would've gotten it). I see an ITA dated 2024-12-02 in #660684 from Jing Luo, whom I've CCed. The VCS looks to be svn://anonscm.debian.org/collab-maint/deb-maint/cvsweb/trunk/ and this has not been preserved on alioth-archive.debian.org. I've imported the history to https://salsa.debian.org/salvage-team/cvsweb a DD should move this to https://salsa.debian.org/debian/cvsweb and invite Jing (@del111). Given there's no new release, I think that all this really wants, from a longevity stand-point, is a simple watch file and retargeting the Homepage: at https://cvsweb.bsd.lv/. Best,
signature.asc
Description: PGP signature
