Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 20 Jan 2025 17:35:58 GMT
From:      Fernando =?utf-8?Q?Apestegu=C3=ADa?= <fernape@FreeBSD.org>
To:        doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org
Subject:   git: b640c77727 - main - [phb][security]: Encourage documenting derivative ports
Message-ID:  <202501201735.50KHZwFa043512@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch main has been updated by fernape:

URL: https://cgit.FreeBSD.org/doc/commit/?id=b640c7772741ea880a252208149caa4b3de06aa5

commit b640c7772741ea880a252208149caa4b3de06aa5
Author:     Fernando ApesteguĂ­a <fernape@FreeBSD.org>
AuthorDate: 2025-01-20 17:33:23 +0000
Commit:     Fernando ApesteguĂ­a <fernape@FreeBSD.org>
CommitDate: 2025-01-20 17:33:38 +0000

    [phb][security]: Encourage documenting derivative ports
    
    Recommend documenting vulnerabilities in the derivative projects.
    
    Discussed in ports-secteam@.
    
    Reviewed By:    tz@
    Differential Revision: https://reviews.freebsd.org/D48440
---
 .../content/en/books/porters-handbook/security/_index.adoc     | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/documentation/content/en/books/porters-handbook/security/_index.adoc b/documentation/content/en/books/porters-handbook/security/_index.adoc
index e04bb32e6c..877dc61b5a 100644
--- a/documentation/content/en/books/porters-handbook/security/_index.adoc
+++ b/documentation/content/en/books/porters-handbook/security/_index.adoc
@@ -313,3 +313,13 @@ WWW: https://portaudit.FreeBSD.org/8c9b48d1-3715-11e3-a624-00262d8b701d.html
 ....
 
 The former version matches while the latter one does not.
+
+[[security-xcheck-vuxml]]
+=== Cross-checking Derivatives
+
+If an upstream project has a known vulnerability, check whether derivatives or
+forks of the project included in the ports tree are also affected.
+For example, if a vulnerability is discovered in package:www/firefox[], assess
+whether derivatives like package:www/librewolf[], package:www/waterfox[] or
+other similar projects share the same vulnerability. Include all affected
+derivatives in the VuXML entry, ensuring that users of these ports are informed.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202501201735.50KHZwFa043512>