From owner-freebsd-security@FreeBSD.ORG Thu Oct 13 13:29:29 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6413416A41F for ; Thu, 13 Oct 2005 13:29:29 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from smtp4-g19.free.fr (smtp4-g19.free.fr [212.27.42.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 309D443D5F for ; Thu, 13 Oct 2005 13:29:26 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by smtp4-g19.free.fr (Postfix) with ESMTP id 1EB643FCFB; Thu, 13 Oct 2005 15:29:13 +0200 (CEST) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id A920E4080; Thu, 13 Oct 2005 15:29:01 +0200 (CEST) Date: Thu, 13 Oct 2005 15:29:01 +0200 From: Jeremie Le Hen To: Ivan Voras Message-ID: <20051013132901.GH45070@obiwan.tataz.chchile.org> References: <200510111202.j9BC2obf081876@freefall.freebsd.org> <434CBDC2.4070405@open-networks.net> <434CE0F1.6090400@htnet.hr> <20051012134440.GA17517@droopy.unibe.ch> <434D1A21.9040104@fer.hr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <434D1A21.9040104@fer.hr> User-Agent: Mutt/1.5.10i Cc: freebsd-security@freebsd.org, jere , Tobias Roth Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Oct 2005 13:29:29 -0000 > >On Wed, Oct 12, 2005 at 12:09:53PM +0200, jere wrote: > > >And you cannot expect the port maintainers > >to backport security fixes if the upstream provider chose to release the > >fix only together with a new version. > > Yes you can, ask these guys: http://www.debian.org/. It's just a matter > of policy. OTOH, Debian packages maintainers chose to do this work whereas asking FreeBSD ports maintainers to do this extra work just now is awkward. Yes, the FreeBSD project could still ask for volunteers for this job but anyway I noticed that this kind of policy leads to delayed package updates whereas merely changing the Makefile in order to upgrade the port is very quick. The best example I can give to this is Firefox. Recently we have seen a great increase of security advisories about it. As both a FreeBSD and Debian user I have to admit that the FreeBSD port is often updated before the Debian package (however I must also admit this compares somewhat the two maintainers). Eventually I would say that when someone administers a network, I think it is his own responsability to choose softwares whose release process is serious enough - which used to be a major reason for using FreeBSD - and it is not the responsability of FreeBSD to overcome their deficiencies. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >