Hasn't seen development in a very long time and security can be discussed. Retire and point users to security/age ? There's also https://github.com/str4d/rage but it's not ported yet.
I'm looking into it.
While it's true that bcrypt hasn't seen significant updates recently, it's still a widely used and referenced tool in many publications and howtos. Its stability and familiarity make it a valuable asset in the ports tree. I've taken note of the suggestion to point users towards security/age. Additionally, I've just added a new port for https://github.com/str4d/rage, now available under security/rust-rage. This offers an alternative for those seeking more actively developed solutions. However, considering the current usage and the lack of a widespread move towards deprecating bcrypt across various repositories (as seen on portscout.org), I recommend keeping bcrypt in the FreeBSD ports for the time being. This approach ensures support for users and systems still dependent on bcrypt, while also providing options for those looking to transition to newer tools like rust-rage or age.
Hi, Thanks for looking into it! I guess you meant repology instead of portscout? https://repology.org/project/bcrypt/versions If we look at "larger" distros that don't carry it: Alpine, Arch, Debian 11 or newer, Gentoo, OpenBSD, OpenSUSE, Ubuntu 20 or newer The only (recent) distro that still carries is Fedora so I think this can be safely set to something like end of 2024Q2 if you want to keep it in for that period of time? Best regards, Daniel
(In reply to Daniel Engberg from comment #3) Of course you're right, I meant repology.org. My stance remains that unless there are identified security issues directly associated with bcrypt, it would be beneficial to keep it in the FreeBSD ports for now. Its stability, documentation in numerous guides and resources, and user familiarity are significant factors. These aspects, combined with the fact that there isn't an active movement to deprecate it due to security vulnerabilities, support its continued presence in the ports.
Here's a few... https://bugs.gentoo.org/592114 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864253
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=559b574607a969d99ef4aa1d2f3ce464a8f15950 commit 559b574607a969d99ef4aa1d2f3ce464a8f15950 Author: Emanuel Haupt <ehaupt@FreeBSD.org> AuthorDate: 2024-06-02 10:56:04 +0000 Commit: Emanuel Haupt <ehaupt@FreeBSD.org> CommitDate: 2024-06-02 10:56:04 +0000 security/bcrypt: Deprecate port Hasn't seen updates in 15 years, insecure Blowfish ECB mode, unauthenticated encryption. See: https://bugs.gentoo.org/592114 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864253 PR: 276564 Reported by: diizzy security/bcrypt/Makefile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)
Fair enough, I guess it's time to deprecate this. Thanks.