From owner-freebsd-security@FreeBSD.ORG Wed Oct 12 14:23:10 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 84A4716A41F for ; Wed, 12 Oct 2005 14:23:10 +0000 (GMT) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3F9F943D64 for ; Wed, 12 Oct 2005 14:23:05 +0000 (GMT) (envelope-from mike@sentex.net) Received: from pumice6.sentex.ca (pumice6.sentex.ca [64.7.153.21]) by smarthost1.sentex.ca (8.13.3/8.13.3) with ESMTP id j9CEN5jR097393 for ; Wed, 12 Oct 2005 10:23:05 -0400 (EDT) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by pumice6.sentex.ca (8.13.4/8.13.4) with ESMTP id j9CEN40i051728; Wed, 12 Oct 2005 10:23:04 -0400 (EDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.3/8.13.3) with ESMTP id j9CEN1wR092273 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 12 Oct 2005 10:23:04 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <6.2.3.4.0.20051012101734.0675f208@64.7.153.2> X-Mailer: QUALCOMM Windows Eudora Version 6.2.3.4 Date: Wed, 12 Oct 2005 10:23:16 -0400 To: Ivan Voras From: Mike Tancsa In-Reply-To: <434D1A21.9040104@fer.hr> References: <200510111202.j9BC2obf081876@freefall.freebsd.org> <434CBDC2.4070405@open-networks.net> <434CE0F1.6090400@htnet.hr> <20051012134440.GA17517@droopy.unibe.ch> <434D1A21.9040104@fer.hr> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by amavisd-new X-Scanned-By: MIMEDefang 2.51 on 64.7.153.18 X-Scanned-By: MIMEDefang 2.53 on 64.7.153.21 Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Oct 2005 14:23:10 -0000 At 10:13 AM 12/10/2005, Ivan Voras wrote: >Tobias Roth wrote: >>On Wed, Oct 12, 2005 at 12:09:53PM +0200, jere wrote: > >>And you cannot expect the port maintainers >>to backport security fixes if the upstream provider chose to release the >>fix only together with a new version. > >Yes you can, ask these guys: http://www.debian.org/. It's just a >matter of policy. > >I dislike the long cycles between version updates in Debian but must >admit that the "stable" distributions indeed justify their name, >INCLUDING packages. > >My idea is that there could maybe be some "core" ports, about 1500 or so, This sounds like a recipe for confusion. Some users have problems distinguishing between whats in the base, and whats out of the ports. Another type of "psudo base app" would just add to the confusion. Users / admins need to take *some* responsibility for what is installed on their system. Many ports are not very well maintained in the first place and to say that the security team should be responsible for another 1500 applications is not realistic. ---Mike