> On 2016/05/04 17:48, Ted Unangst wrote:
> > i think it's time. otherwise we'll never find the bugs.
>
> I don't think it's time since afaicr nobody other than me has fixed
> anything for this in ports yet. They're not hard to find, try screen
> lockers for starters. Because this is using a different API than
> everyone else with shadow passwords we don't get fixes for free -
> anything using pw_passwd from getpw{nam,uid}() needs modifying.
>
> If you'd sent this 10 days ago we could have had enough of them
> fixed at p2k16. As I won't have time to do that now, here are
> unfiltered search results from ports source (unpacked Aug 2015
> so there may be some more by now). I'll have a look and see if
> I've got any notes on which ones I already looked at.
Bummer, bad timing.
Anyways, it would be really nice if we can get the issues resolved
before end of June, because 6.0 should have this. It is a valuable
security improvement.
