It's time to stop importing new ports. Updates to existing ports are still fine, but consider the risk/benefit ratio if something goes wrong, how long it might take to notice and fix problems. Focus on fixing problems instead of updates for updates' sake.
Nothing left to do, you feel bored already? * There was that recent zlib vulnerability. How many ports ship private copies of zlib? How many are vulnerable? How about rsync? * A few months ago, folks were oohing and aahing over NSO's zero-click iMessage exploit. Somewhere in Project Zero's deep dive it said that the vulnerable JBIG2 code implementation came from Xpdf. Does this mean that textproc/xpdf is vulnerable? * aarch64: Now that sysctl(2) exports CPU_ID_AA64ISAR0, ports that have hand-optimized crypto or multimedia code could make use of this. That will require adding a smidgeon of code, though, since the sysctl interface is different from the ELF auxv info approach that FreeBSD and Linux take. Time for testing is running short. -- Christian "naddy" Weisgerber [email protected]
