On Tue, 1 Aug 2017, Anthony J. Bentley wrote:
> Donovan Watteau writes:
> > As for Gnuboy: is it dead, or is it done? There are other "old
> > alternatives" in the ports tree (for example in editors), and we're
> > keeping them, as long as there's someone taking care of them (unless
> > the code is too broken or too dangerous). Gambatte is more modern,
> > but it looks mostly unmaintained for the past 3 years, so I don't
> > know if the difference with Gnuboy is that big.
>
> Gnuboy has been completely unmaintained for over 15 years. That's a
> significant difference.
>
> > "avoid adding old stuff to the ports
> > tree if there's a good alternative that's maintained"
>
> I agree with that sentiment. The trouble with providing packages is
> that if they exist, people use them. Auditing the entire ports tree is
> obviously impossible, but we should put at least occasional effort into
> pruning very old ports and refrain from adding old software that is
> likely to be a problem.
>
> Emulators in particular are prone to security issues. They frequently
> allocate buffers, *constantly* deal with untrusted input, and execute
> code by nature. Holes are common:
>
> https://mgba.io/2016/09/13/fuzzing-emulators/
> https://scarybeastsecurity.blogspot.com/2016/11/0day-exploit-compromising-linux-desktop.html
> https://www.youtube.com/watch?v=Q3SOYneC7mU
>
> Thanks for porting, but this particular port I would rather not have
> in tree.
You've made a really good point. It's all OK for me, don't add it.
Thanks.
No comments:
Post a Comment