Date: Tue, 25 Nov 2008 16:30:19 +1100 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: "David F. Severski" <davidski@deadheaven.com> Cc: freebsd-security@freebsd.org Subject: Re: ports/128999: [vuxml] [patch] update audio/streamripper to 1.64.0, fix CVE-2008-4829 Message-ID: <20081125153335.Q43853@sola.nimnet.asn.au> In-Reply-To: <20081124222029.GM85200@geoff.deadheaven.com> References: <200811230855.mAN8tmXo091500@freefall.freebsd.org> <731a66520811241055x62a013at71bc1d08bcc6bda8@mail.gmail.com> <492B2242.4080102@vwsoft.com> <731a66520811241406r6269274ft8a41666efd85560d@mail.gmail.com> <20081124222029.GM85200@geoff.deadheaven.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 24 Nov 2008, David F. Severski wrote: > On Mon, Nov 24, 2008 at 11:06:56PM +0100, William Palfreman wrote: > > That's nice. I am sure it is very useful on the ports mailinglist > > where it belongs. I also greatly enjoy the frequent interesting and > > informed discussion on the security mailinglist - of which Eirik > > Overby's thread recently about syn+fin is one example. But all these > > ports announcements, raw patches, garbled html etc. I could really do > > without. It is why there are separate lists. > > Was there a discussion or even an announcement indicating that the > security-related port commit messages would be sent to freebsd-security? Not that I could find. The other day I reviewed the last three months' archives looking for any notice I'd missed. These ports security issues and patches postings began on Nov 8; I've resisted commenting until now. > This seems to have started just this month. Like William, I also find the > explosion of commit messages and bug tracking minutia detracts from the > low volume and high value of the freebsd-security list. The list > description on mailman indicates the intent of the list is to be a > 'high-signal, low-noise discussion of issues affecting the security of > FreeBSD.' Including every single obliquely security related port commit > seems counter to this intention. > > I'd very much like to see a separate list for the automated port postings, > leaving this list to it's historical usage. I'm also finding these to be swamping S/N (as are these posts, I know!) and no, switching to security-advisories@ wouldn't cut it for me, for the same reasons William mentions above. We're heading towards 20,000 ports these days, and while I appreciate and rely on the vuxml database and portaudit for vulns and updates for those ports I use, and am glad to see such active work going on, I'm feeling the separation of base system (including contrib) from ports remains important - especially in the security context. My 2c (now scarcely U$1.3c), Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081125153335.Q43853>