Jonathan Schleifer <js-pkgsrc%webkeks.org@localhost> writes: > Am 09.06.2011 um 14:08 schrieb Greg Troxel: > >> Generally, my opinion is to assess whether having the package removed is >> in the best interest of pkgsrc users, keeping in mind finite effort on >> the part of pkgsrc maintainers. Removing pacakges makes it harder to >> update them later, while leaving a package at a slightly old revision >> with known vulnerabilities causes almost no problems. And, removal >> makes it harder for a user to choose to use the package anyway. > > Well, the question is: Does it make sense to use a package that not > only has security holes which are not being fixed, but even has a new > security hole almost each week? The problem is that the number of > unfixed security holes only gets bigger. That's the question for individual users. The question for pkgsrc maintenance is whether leaving it there until it gets fixed is likely to be better for all than removing it rapidly. I find there to be a general problem in pkgsrc that people want to delete things they don't care for personally. >> You say that you're using it, but that it's "just not helping at all". >> That seems inconsistent. > > Well, basically, I do make configure, patch it manually and then build > it. However, with each update to a dependency of asterisk, I have to > do that again, so it actually is more work than building asterisk > without pkgsrc. You can just put the patches in patches/ and make distinfo, and your checkout will remember them. You could then even cvs diff and send-pr...
Description: PGP signature