On 2/24/26 06:30, Dag-Erling Smørgrav wrote:
- Simply moving the code to ports will do nothing to address the underlying issue, and I will strenuously object to adding software with known vulnerabilities to the ports tree.
On this issue: we have generally created ports for things moved out of base to give users an option if they really need the thing. If the standard for being in ports was "no known vulnerabilities" I think we wouldn't have much of a ports collection. I think a more realistic understanding is that using old things from ports is "at your own risk". Program A might be insecure in one context but not others, and just because it is insecure in at least one context doesn't mean we should ban it from being used by everyone. So I think creating a port is reasonable so long as the description is clear that "this is the last snapshot of the thing before we removed it" which communicates "use at your own risk". The benefit of moving known foot-guns to ports is that it makes that risk opt-in instead of opt-out. -- John Baldwin
