Bug 211975 - Adding deleted/expired/End of Life ports to vuxml
Summary: Adding deleted/expired/End of Life ports to vuxml
Status: In Progress
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Mark Felder
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-08-18 21:42 UTC by Mark Felder
Modified: 2017-01-09 16:26 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Felder freebsd_committer 2016-08-18 21:42:12 UTC
I am starting an initiative to add deleted/expired/End of Life ports to vuxml. This is to cover a gap we have with vuxml and pkg audit where users can be running EoL software for many years and potentially have clean pkg audit reports. It is not going to be feasible to add every deleted / expired port to vuxml, but we should be able to cover popular software (languages, libraries, databases, webservers) and start adding entries going forward.

This does not cover a disregard for updating the FreeBSD base system. It has been hard to monitor for that in the past and it's possible only application-level vulnerabilities are part of their threat model.

We should not recycle the exact same vuxml entry forever. This is primarily because it creates noise for users of the Freshports website every time you update the vuxml entry with a <modified> date, but also because we should consider entering more detail in the description of the vuxml entry where possible.

Please join me in this effort. If you are aware of a popular bit of software that deserves an entry and you can correctly identify what its PKGNAME was I would appreciate it if you could let me know or add it to the current "End of Life Ports" vuxml entry.


Thanks!
Comment 1 commit-hook freebsd_committer 2016-08-18 21:44:56 UTC
A commit references this bug:

Author: feld
Date: Thu Aug 18 21:44:35 UTC 2016
New revision: 420425
URL: https://svnweb.freebsd.org/changeset/ports/420425

Log:
  Add a number of old expired and End of Life ports to vuxml

  PR:		211975

Changes:
  head/security/vuxml/vuln.xml
Comment 2 commit-hook freebsd_committer 2016-08-19 14:02:43 UTC
A commit references this bug:

Author: feld
Date: Fri Aug 19 14:02:12 UTC 2016
New revision: 420470
URL: https://svnweb.freebsd.org/changeset/ports/420470

Log:
  Fix PKGNAME matching for old ruby in vuxml

  PR:		211975

Changes:
  head/security/vuxml/vuln.xml
Comment 3 commit-hook freebsd_committer 2016-08-19 15:05:51 UTC
A commit references this bug:

Author: feld
Date: Fri Aug 19 15:05:36 UTC 2016
New revision: 420474
URL: https://svnweb.freebsd.org/changeset/ports/420474

Log:
  Fix ruby version range which was missing the important portepoch

  Add postgres and mysql to the EoL port list

  PR:		211975

Changes:
  head/security/vuxml/vuln.xml
Comment 4 VK freebsd_triage 2016-10-07 10:41:34 UTC
* www/py-django16 expired but still in the ports, see bug #213269.
* www/drupal6 expired earlier this year with a bunch of modules, see bug #209954.
Comment 5 commit-hook freebsd_committer 2017-01-09 16:26:20 UTC
A commit references this bug:

Author: feld
Date: Mon Jan  9 16:25:20 UTC 2017
New revision: 430975
URL: https://svnweb.freebsd.org/changeset/ports/430975

Log:
  Add additional EoL ports to vuxml

  PR:		211975

Changes:
  head/security/vuxml/vuln.xml