According to https://www.oracle.com/us/support/library/lifetime-support-technology-069183.pdf, mysql 5.7 is EOL in Oct 2023 (presumably that means Oct 1?). The latest 5.7 (5.7.37) has vulnerabilities (https://vuxml.FreeBSD.org/freebsd/add683be-bd76-11ec-a06f-d4c9ef517024.html). No newer 5.7.* release is currently available (see https://downloads.mysql.com/archives/community/). The git repo shows some activity on the 5.7 branch: https://github.com/mysql/mysql-server/commits/5.7. But no new release. I did not investigate if the vulnerabilities (some of which mention possible remote code execution) have been fully addressed. We should probably at least mark the mysql57* ports with a deprecation notice.
FYI, mysql80* is in the same boat - latest (8.0.28) is vulnerable, and no upstream release addressing those vulnerabilities. [But it looks like 8.0 EOL is in 2026]
MySQL is marked as EOL in FreeBSD at the appropriate time
(In reply to Jochen Neumeister from comment #2) Where is that EOL marking?
When I think it is the right time, I will insert it
(In reply to Jochen Neumeister from comment #4) Oh, okay. Thanks. I thought you were saying it already is marked now.
There is even MySQL 5.5 still in the ports with EOL 6/30/2022. Next, MySWL 5.6 should be marked as EOL. Here I have to see when is a good date. MySQL 5.7 is the current default version in FreeBSD. If this is now marked as EOL, it usually causes chaos. I have planned for the end of the year to start working on the new default version MySQL 8.0 - this will also be a long process.
(In reply to Jochen Neumeister from comment #6) Ok. When I opened this, I was getting vulnerability warnings when building 5.7.37. I looked at https://downloads.mysql.com/archives/community/ and saw that there was no 5.7.38, but I failed to see (at that time) there actually was a 5.7.38 that was released (latest is at https://dev.mysql.com/downloads/mysql/5.7.html). At that time, it was beginning to look like the vulnerabilities on the 5.7 branch were not getting upstream attention (which is what prompted this PR). But I just missed that 5.7.38 was available (2022-03-21). Then you updated to 5.7.38 on Apr 30, so that fixed the vulnerability issue. Thanks for that. mysql56-server is at 5.6.51 latest upstream and the 5.6 branch went EOL Feb 2021. And it has a ton of CVEs (going back to 2020), unaddressed upstream. As you say, it should be marked EOL for sure - sooner than later if those CVEs are at all important (at a quick sampling, they do seem to be). But the important part is that the users who build from ports will get notified about those vulnerabilities, so they can examine each documented vulnerability and judge for themselves. It's not quite as obvious for binary package users.
MySQL 5.6 received its last update this year in February. MySQL 5.5 has now been in the ports for 4 years and will be removed at the end of Q2. However, I will not keep MySQL 5.6 in the ports for 4 years now. I think end Q1 2023 will be a good time to remove MySQL 5.6 from the ports. MySQWL 5.7 will be in the ports for a few more years.