Created attachment 179371 [details] librsync_deprecated.patch Project has moved to Github. net/librsync (librsync-0.9.7) has security vulnerability issue[1] fixed on newer release[2]. On the future net/librsync2 could be moved to net/librsync. [1] - http://www.freshports.org/vuxml.php?vid=b22b016b-b633-11e5-83ef-14dae9d210b8 [2] - https://github.com/librsync/librsync/releases
CCing rene@ I don't know what is the policy for expiration_date, could you help ? No ports depends on this one. Regards.
From the Porters Handbook [1] "There is no set policy on how much notice to give. Current practice seems to be one month for security-related issues and two months for build issues." [1] https://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/dads-deprecated.html
I have a slightly modified patch which sets the expiration date to 2017-03-01 and mentions the CVE number. Adding bdrewery as he maintains net/librsync2 and perhaps can shed some light on which version is what (net/librsync2 = 1.0.1, or is 1.0.1 a successor of 0.9.7 ?)
(In reply to Rene Ladan from comment #2) Oh, it was on handbook, sorry. librsync 1.0.0 is sucessor after eleven years but newer versions are not compatible with the old 0.9.7, maybe because of this we had net/librsync and net/librsync1 (now net/librsync2) on base. Thank you.
Just noticed this PR is still on my plate, should this port just be removed?
(In reply to Rene Ladan from comment #5) Hi. This version (0.9.4) is from 2004 and it has security issues, everyone should use net/librsync2 instead. And this port is not required by any other port. So, IMO it should. Regards.
OK, I removed the port.