From owner-freebsd-security@FreeBSD.ORG Wed Oct 12 16:33:28 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0AB5616A41F for ; Wed, 12 Oct 2005 16:33:28 +0000 (GMT) (envelope-from ivoras@fer.hr) Received: from pinus.cc.fer.hr (pinus.cc.fer.hr [161.53.73.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6222043D48 for ; Wed, 12 Oct 2005 16:33:27 +0000 (GMT) (envelope-from ivoras@fer.hr) Received: from [161.53.72.113] (lara.cc.fer.hr [161.53.72.113]) by pinus.cc.fer.hr (8.12.2/8.12.2) with ESMTP id j9CGcgFx024100; Wed, 12 Oct 2005 18:38:42 +0200 (MEST) Message-ID: <434D3AA4.1020000@fer.hr> Date: Wed, 12 Oct 2005 18:32:36 +0200 From: Ivan Voras User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050921) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Mike Tancsa References: <200510111202.j9BC2obf081876@freefall.freebsd.org> <434CBDC2.4070405@open-networks.net> <434CE0F1.6090400@htnet.hr> <20051012134440.GA17517@droopy.unibe.ch> <434D1A21.9040104@fer.hr> <6.2.3.4.0.20051012101734.0675f208@64.7.153.2> In-Reply-To: <6.2.3.4.0.20051012101734.0675f208@64.7.153.2> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Oct 2005 16:33:28 -0000 Mike Tancsa wrote: > At 10:13 AM 12/10/2005, Ivan Voras wrote: >> My idea is that there could maybe be some "core" ports, about 1500 or so, > > This sounds like a recipe for confusion. Some users have problems > distinguishing between whats in the base, and whats out of the ports. > Another type of "psudo base app" would just add to the confusion. User I agree that "core ports" is a very confusing name... maybe something like "ports with extended security support" :) > / admins need to take *some* responsibility for what is installed on > their system. Many ports are not very well maintained in the first > place and to say that the security team should be responsible for > another 1500 applications is not realistic. No, not the FreeBSD security team - I mentioned them only as a reference for "how long does it make sense to support a release". All ports that would get the extended support will HAVE to be supported by their respective maintainers/authors. Any port whose maintainer doesn't want to do it this way will automatically get kicked off the list. The reason why I think this would work is that I think that many widely-used applications (e.g.: apache, php, mysql, postgresql, perl, postfix) are well maintained by their authors and there would certainly be an audience among the maintainers themselves for such a thing. To summarize: - each release would tag the ports tree with RELENG_x_y - on that tag, certain ports would be supported security-wise by their maintainers for as long as RELENG_x_y itself is supported by the security team, being carefull to leave the same version of the port (or one that's 100% backward compatible). - other ports would not be supported/maintained, and will just be "frozen in time" by the CVS tag.