From nobody Mon May 25 22:44:11 2026 X-Original-To: freebsd-python@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gPWCQ0wXHz6g8N9 for ; Mon, 25 May 2026 22:44:18 +0000 (UTC) (envelope-from pete@nomadlogic.org) Received: from mail.nomadlogic.org (mail.nomadlogic.org [46.21.153.22]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4gPWCP4QPDz3b1J; Mon, 25 May 2026 22:44:17 +0000 (UTC) (envelope-from pete@nomadlogic.org) Authentication-Results: mx1.freebsd.org; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nomadlogic.org; s=04242021; t=1779749026; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=aK9lmLBoO6vxbFtJ6vLdF4s6W+T1h7LJtTzvDn971Bk=; b=hCy2Maby0plnaJQWnQdGPlhCLF8Hjj6kD8gpmsFK2pL1ODtmyl0+Lju4tEHjOA3D8k0F+a AYkymLMF2obLHZLSnZ4Ygsq9mrwRk/WFtNWuQrBzYZPdySeC92sNHq9kscWSb7MgElXnJ2 NiGli9/ArDHfDdZlZtJao/knefhsKBk= Received: from [192.168.1.182] (47-154-29-181.fdr01.snmn.ca.ip.frontiernet.net [47.154.29.181]) by mail.nomadlogic.org (OpenSMTPD) with ESMTPSA id d87842ab (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Mon, 25 May 2026 22:43:46 +0000 (UTC) Message-ID: Date: Mon, 25 May 2026 15:44:11 -0700 List-Id: FreeBSD-specific Python issues List-Archive: https://lists.freebsd.org/archives/freebsd-python List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-python@freebsd.org Sender: owner-freebsd-python@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Best way to help get CVE's addressed To: Charlie Li , freeBSD-python@freebsd.org References: <560c94dc-aa6a-4670-a3be-b89f1f2ce0ec@nomadlogic.org> Content-Language: en-US From: Pete Wright In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:29802, ipnet:46.21.153.0/24, country:US] X-Rspamd-Queue-Id: 4gPWCP4QPDz3b1J X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated On 5/25/26 11:47, Charlie Li wrote: > Pete Wright wrote: > >> i searched bugzilla and wasn't sure if we are filing reports for each >> CVE and tracking there, or are our efforts better spent focusing on >> getting a newer default python out the door? >> > Please do not do anything of this sort, they only slow things down. > Security reports almost always affect every supported and development > branch upstream at the same time. > so what is the best course of action if a fix has been applied upstream, but is not reflected in the ports tree? -p -- Pete Wright pete@nomadlogic.org