Thursday, March 31, 2022

No more imports, prepare for 7.1

It's time to stop importing new ports.

Updates to existing ports are still fine, but consider the risk/benefit
ratio if something goes wrong, how long it might take to notice and
fix problems. Focus on fixing problems instead of updates for
updates' sake.

Nothing left to do, you feel bored already?

* There was that recent zlib vulnerability. How many ports ship
private copies of zlib? How many are vulnerable? How about
rsync?

* A few months ago, folks were oohing and aahing over NSO's
zero-click iMessage exploit. Somewhere in Project Zero's deep
dive it said that the vulnerable JBIG2 code implementation came
from Xpdf. Does this mean that textproc/xpdf is vulnerable?

* aarch64: Now that sysctl(2) exports CPU_ID_AA64ISAR0, ports
that have hand-optimized crypto or multimedia code could make use
of this. That will require adding a smidgeon of code, though,
since the sysctl interface is different from the ELF auxv info
approach that FreeBSD and Linux take. Time for testing is running
short.

--
Christian "naddy" Weisgerber naddy@mips.inka.de

No comments:

Post a Comment