Date: Tue, 21 Nov 2000 23:24:29 -0700 From: Warner Losh <imp@village.org> To: opentrax@email.com Cc: security-officer@FreeBSD.ORG, arch@FreeBSD.ORG Subject: Re: New security policy for FreeBSD 3.x Message-ID: <200011220624.XAA40393@harmony.village.org> In-Reply-To: Your message of "Tue, 21 Nov 2000 10:43:05 PST." <200011211843.KAA00298@spammie.svbug.com> References: <200011211843.KAA00298@spammie.svbug.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <200011211843.KAA00298@spammie.svbug.com> opentrax@email.com writes: : Please note I've cc'd to arch. Could you make your : comments there? : : On 19 Nov, FreeBSD Security Advisories wrote: : > -----BEGIN PGP SIGNED MESSAGE----- : > : > The FreeBSD Security Officer would like to announce a change in policy : > regarding security support for the FreeBSD 3.x branch. : > : > Due to the frequent difficulties encountered in fixing the old code : > contained in FreeBSD 3.x, we will no longer be requiring security : > problems to be fixed in that branch prior to the release of an : > advisory that also pertains to FreeBSD 4.x. In recent months this : > requirement has led to delays in the release of advisories, which : > negatively impacts users of the current FreeBSD release branch : > (FreeBSD 4.x). : > : Could you clarify exactly what you are saying? It's not clear. : Perhaps a chart might help. [[ included original text to give context ]] Generally speaking, fixes go into -current first, then are MFC to 4.x-stable and then MFC to 3.x-stable. Sometimes the MFC is easy (when the code is substantially identical) and sometimes it isn't. In the cases it isn't, we won't hold up the advisory for a 3.x fix. We will inform select interested and sufficiently clueful parties of pending advisories for which no 3.x solution is available. If they can get us a fix for 3.x before we release our advisory (usually a few days to a week depending on its severity and other factors), we will include it in the advisory. If not, then the advisory goes out anyway without a 3.x fix, with the usual room for negotiation for reasonable extensions. In other words, fixes for 3.x will no longer gate security advisories, but will be included if available. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200011220624.XAA40393>