Bug 203995

Summary: [patch] www/joomla15: Deprecation
Product: Ports & Packages Reporter: Torsten Zühlsdorff <ports>
Component: Individual Port(s)Assignee: Jason Unovitch <junovitch>
Status: Closed FIXED    
Severity: Affects Only Me CC: feld, junovitch, ports-secteam, robi
Priority: --- Keywords: patch-ready, security
Version: LatestFlags: junovitch: maintainer-feedback-
junovitch: merge-quarterly+
Hardware: Any   
OS: Any   
See Also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204016
Attachments:
Description Flags
deprecation path for www/joomla15
none
deprecated/forbid both www/joomla15 and www/joomla25 junovitch: maintainer-approval? (ports-secteam)

Description Torsten Zühlsdorff 2015-10-24 09:15:44 UTC 
Created attachment 162409 [details]
deprecation path for www/joomla15

Hello,

according to the life circle of Joomla the Version 1.5 reached its end of life in September 2012:
https://docs.joomla.org/What_version_of_Joomla!_should_you_use%3F

Therefore we should deprecate and remove this port from the tree.

At the moment there is also www/joomla25 and www/joomla31. Both needs to be deprecated too. But currently there is no actual joomla version in the tree the user can update to. Therefore i will add a deprecation patch for this versions after i wrote a port for the current joomla version. In the meantime a 1.5 user can switch up to 2.5.

Greetings,
Torsten
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2015-10-24 15:08:01 UTC 
Nicola, this was assigned to you even though you were not the maintainer of that particular version.  Please feel free to reassign it if you wish.
Comment 2 Jason Unovitch freebsd_committer freebsd_triage 2015-10-25 04:01:14 UTC 
Created attachment 162437 [details]
deprecated/forbid both www/joomla15 and www/joomla25

Torsten,
Thank you!  Per the porter's handbook, we also need to mark this FORBIDDEN.  I think we should deprecate both before 2016Q1 gets branched as well so I've shortened the timelines.

https://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/dads-noinstall.html

Also, www/joomla31 uses a different package name then the port origin suggests (`make -VPKGNAME` is joomla3-3.2.3).  It probably should have been named www/joomla3.

Ports-secteam,

Both these ports are well past their usable life and I think the most responsible thing at this point is to immediately forbid and deprecated them as well as MFH this to prevent those packages from being built by default quarterly.

Approval to apply this patch for both ports with 'Approved by: ports-secteam (name)"?

Log:
www/joomla{15,25}: mark FORBIDDEN and DEPRECATED

Joomla 1.5 was end of life in December 2012
Joomla 2.5 was end of life in December 2014

Reference:	https://www.joomla.org/about-joomla/technical-requirements.html

PR:		203995
Submitted by:	Torsten Zühlsdorff <ports@toco-domains.de> (original patch)
Security:	CVE-2014-6632
Security:	CVE-2014-7228
Security:	CVE-2014-7229
Security:	https://vuxml.freebsd.org/freebsd/cec4d01a-7ac5-11e5-b35a-002590263bf5.html
Security:	https://vuxml.freebsd.org/freebsd/beb3d5fc-7ac5-11e5-b35a-002590263bf5.html
MFH:		2015Q4
Comment 3 Jason Unovitch freebsd_committer freebsd_triage 2015-10-30 00:15:35 UTC 
Ping.

Any issues with an 'Approved by: ports-secteam' to immediately mark these long past EOL ports DEPRECATED and FORBIDDEN?
Comment 4 Torsten Zühlsdorff 2015-11-03 08:30:25 UTC 
J
Comment 5 commit-hook freebsd_committer freebsd_triage 2015-11-07 23:28:36 UTC 
A commit references this bug:

Author: junovitch
Date: Sat Nov  7 23:28:10 UTC 2015
New revision: 401027
URL: https://svnweb.freebsd.org/changeset/ports/401027

Log:
  www/joomla{15,25}: mark FORBIDDEN and DEPRECATED

  Joomla 1.5 was end of life in September 2012
  Joomla 2.5 was end of life in December 2014

  Reference:	https://docs.joomla.org/What_version_of_Joomla!_should_you_use

  PR:		203995
  Submitted by:	Torsten Zuhlsdorff <ports@toco-domains.de> (original patch)
  Approved by:	maintainer timeouts (2 weeks)
  Security:	CVE-2014-6632
  Security:	CVE-2014-7228
  Security:	CVE-2014-7229
  Security:	https://vuxml.FreeBSD.org/freebsd/cec4d01a-7ac5-11e5-b35a-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/beb3d5fc-7ac5-11e5-b35a-002590263bf5.html
  MFH:		2015Q4

Changes:
  head/www/joomla15/Makefile
  head/www/joomla25/Makefile
Comment 6 commit-hook freebsd_committer freebsd_triage 2015-11-10 01:15:36 UTC 
A commit references this bug:

Author: junovitch
Date: Tue Nov 10 01:15:21 UTC 2015
New revision: 401181
URL: https://svnweb.freebsd.org/changeset/ports/401181

Log:
  MFH: r401027

  www/joomla{15,25}: mark FORBIDDEN and DEPRECATED

  Joomla 1.5 was end of life in September 2012
  Joomla 2.5 was end of life in December 2014

  Reference:	https://docs.joomla.org/What_version_of_Joomla!_should_you_use

  PR:		203995
  Submitted by:	Torsten Zuhlsdorff <ports@toco-domains.de> (original patch)
  Approved by:	maintainer timeouts (2 weeks)
  Approved by:	ports-secteam (feld)
  Security:	CVE-2014-6632
  Security:	CVE-2014-7228
  Security:	CVE-2014-7229
  Security:	https://vuxml.FreeBSD.org/freebsd/cec4d01a-7ac5-11e5-b35a-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/beb3d5fc-7ac5-11e5-b35a-002590263bf5.html

Changes:
_U  branches/2015Q4/
  branches/2015Q4/www/joomla15/Makefile
  branches/2015Q4/www/joomla25/Makefile
Comment 7 Jason Unovitch freebsd_committer freebsd_triage 2015-11-10 01:21:02 UTC 
- Set maintainer-feedback- based on maintainer timeout
- Set merge-quarterly+ based on MFH in r401181

Torsten, I was going to follow up with closing the PR after the MFH but thanks for being proactive and closing it.