From owner-freebsd-security@FreeBSD.ORG Tue Nov 25 05:51:33 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 61BED1065670 for ; Tue, 25 Nov 2008 05:51:33 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [220.233.188.227]) by mx1.freebsd.org (Postfix) with ESMTP id AA2298FC0C for ; Tue, 25 Nov 2008 05:51:32 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id mAP5UJj5069939; Tue, 25 Nov 2008 16:30:19 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Tue, 25 Nov 2008 16:30:19 +1100 (EST) From: Ian Smith To: "David F. Severski" In-Reply-To: <20081124222029.GM85200@geoff.deadheaven.com> Message-ID: <20081125153335.Q43853@sola.nimnet.asn.au> References: <200811230855.mAN8tmXo091500@freefall.freebsd.org> <731a66520811241055x62a013at71bc1d08bcc6bda8@mail.gmail.com> <492B2242.4080102@vwsoft.com> <731a66520811241406r6269274ft8a41666efd85560d@mail.gmail.com> <20081124222029.GM85200@geoff.deadheaven.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-security@freebsd.org Subject: Re: ports/128999: [vuxml] [patch] update audio/streamripper to 1.64.0, fix CVE-2008-4829 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Nov 2008 05:51:33 -0000 On Mon, 24 Nov 2008, David F. Severski wrote: > On Mon, Nov 24, 2008 at 11:06:56PM +0100, William Palfreman wrote: > > That's nice. I am sure it is very useful on the ports mailinglist > > where it belongs. I also greatly enjoy the frequent interesting and > > informed discussion on the security mailinglist - of which Eirik > > Overby's thread recently about syn+fin is one example. But all these > > ports announcements, raw patches, garbled html etc. I could really do > > without. It is why there are separate lists. > > Was there a discussion or even an announcement indicating that the > security-related port commit messages would be sent to freebsd-security? Not that I could find. The other day I reviewed the last three months' archives looking for any notice I'd missed. These ports security issues and patches postings began on Nov 8; I've resisted commenting until now. > This seems to have started just this month. Like William, I also find the > explosion of commit messages and bug tracking minutia detracts from the > low volume and high value of the freebsd-security list. The list > description on mailman indicates the intent of the list is to be a > 'high-signal, low-noise discussion of issues affecting the security of > FreeBSD.' Including every single obliquely security related port commit > seems counter to this intention. > > I'd very much like to see a separate list for the automated port postings, > leaving this list to it's historical usage. I'm also finding these to be swamping S/N (as are these posts, I know!) and no, switching to security-advisories@ wouldn't cut it for me, for the same reasons William mentions above. We're heading towards 20,000 ports these days, and while I appreciate and rely on the vuxml database and portaudit for vulns and updates for those ports I use, and am glad to see such active work going on, I'm feeling the separation of base system (including contrib) from ports remains important - especially in the security context. My 2c (now scarcely U$1.3c), Ian