From owner-freebsd-questions@freebsd.org Sun Nov 26 00:48:54 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F3CA2DF57F2 for ; Sun, 26 Nov 2017 00:48:53 +0000 (UTC) (envelope-from woodsb02@gmail.com) Received: from mail-ua0-x233.google.com (mail-ua0-x233.google.com [IPv6:2607:f8b0:400c:c08::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B7B44760FD for ; Sun, 26 Nov 2017 00:48:53 +0000 (UTC) (envelope-from woodsb02@gmail.com) Received: by mail-ua0-x233.google.com with SMTP id r11so16847175uah.12 for ; Sat, 25 Nov 2017 16:48:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=dIWsNCH8qeXo82x4o2T2q3Oqu3PzZB0VUyCuwJusTfQ=; b=QRUP+o9igiHLxmr67dW5BO44fV2WgVW/RfQ8Paz9CpyentUdq0EH5pb/SMLOOLZrTZ CclIEshqj45tOOXvGokLokAseAAqgsY/mzLUv0GHDiMVLWWytvip1q1Evaf17VCJ9iT8 oJ2gMq23g0OnUJiMzi8WCjFZ+wrMMi+VnsVFVQ8z3hY3369dBBdc2zmDlSvAw5bjB6P9 dhHx2OlHAV6QnYAOKjceaBn+X/gH7ueLihnzupSYHcfBAF9i/w6/tsGi68akK+z3uZRM yGOmOJN03AO8HIjkQJwluWXojy7lviwQ3T/25Chld9LsDbBm0kbsjwLQ2Ni6VdsKEpAJ FXAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=dIWsNCH8qeXo82x4o2T2q3Oqu3PzZB0VUyCuwJusTfQ=; b=icEeo7qllocGMV/1uP9TwbMSZG1Q5XOXURablc/3w3AGjnEYGqkU/+fpuO8+NWMP/F uyUVUIrdf9aodpJhjdlJAMoVcod2D4yUobiNEsUrfPj074GWzJwqJKS0l+NEqbxEzhAv UdAEc+spLRkfxPnIde1/W1uBC5+8F3UsAZDWvJqBJDt7pbYsfScukmEWLUS/nMCTSdtv owLwbv1KhSOxv+kznEwDlAUWmLBNpV06Ave1gSf6siuO0fiuukpfwuXjPhCq2NoaNQlz 26LdzctM6S0+dKXslGmcyrXKYU/tI4DH/Y2JaxEJfFfubysP94Gz+SWhjHu+pp8q92VB nUNw== X-Gm-Message-State: AJaThX534P5/ftUTKMy9jmqd0BeiKlgjVdGDXtonRpcoL9WAIvFPTwQU rEubbBeoRmyGUJ5rQgYFTYAlnkxImhnTNdOJCDaZ2A== X-Google-Smtp-Source: AGs4zMZYwrnE3YLVhTM6QMKCxRg8snrFMfhSdpPQAYFwITuGG/yMZvTGS2u7owP0rggQGmD1bDUmu+jPwxxEoaGCeU4= X-Received: by 10.159.35.84 with SMTP id 78mr26209568uae.188.1511657332700; Sat, 25 Nov 2017 16:48:52 -0800 (PST) MIME-Version: 1.0 References: <20171125162116.GA7147@03c0.comcast.net> In-Reply-To: <20171125162116.GA7147@03c0.comcast.net> From: Ben Woods Date: Sun, 26 Nov 2017 00:48:41 +0000 Message-ID: Subject: =?UTF-8?Q?Re=3A_why_pkgs_with_vulnerabilities_on_quarterly_aren?= =?UTF-8?Q?=E2=80=99t_updated?= To: rplace Cc: freebsd-questions@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Nov 2017 00:48:54 -0000 On Sun, 26 Nov 2017 at 12:22 am, rplace wrote: > > Every day I check pkg audit -F on 11.1 from quarterly, and for like a mon= th > it=E2=80=99s listed many xorg-server vulnerabilities. And now it=E2=80=99= s listed > firefox-esr > vulnerabilities for what seems like at least a week. > > For xorg-server, I see that there=E2=80=99s > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D223286 > which has drawn zero attention. > > I see that there are newer versions in latest. > > How do I tell when issues have fallen between the cracks vs > a change deliberately not being brought to quarterly? > > In cases like this, does it make sense to talk to maintainers, > or to one of the pkg/ports lists, or=E2=80=A6? Hi rplace, Quartlery branches are definitely supposed to receive security updates. Sometime people forget, and if this is the case you absolutely should remind them. Ideally this would just be the minimal update to address the vulnerability, without bringing new features. However, patches do not always exist, and sometime this is not easy. Where security issues have been addressed in the head branch, but not the quarterly branch, I recommend: - checking if the commit to head had a MFH request (merge from head)... perhaps the committer is just waiting for the approval to merge the commit to quarterly. - if there was a bug report, check if it has been closed or if it is still open awaiting the MFH (there is a flag in bugzilla that can be set to show this is the status). - if a number of days (closer to a week) has passed since it was addressed in head and it still hasn=E2=80=99t been addressed in quarterly, or there w= as no MFH commentary to suggest it would be addressed in quarterly, then I suggest either commenting on the bug report that was related to the commit to state the MFH has been forgotten (reopen the bug), or raise a new bug report, ensuring that the person who made the commit to head gets automatically assigned as the assignee after raising or add them to the CC list manually. Regards, Ben > -- -- From: Benjamin Woods woodsb02@gmail.com