From owner-freebsd-isp@FreeBSD.ORG Sat Aug 12 11:20:28 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C5D1016A4E0; Sat, 12 Aug 2006 11:20:28 +0000 (UTC) (envelope-from simon@zaphod.nitro.dk) Received: from mx.nitro.dk (zarniwoop.nitro.dk [83.92.207.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4FBC143D45; Sat, 12 Aug 2006 11:20:27 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: from zaphod.nitro.dk (unknown [192.168.3.39]) by mx.nitro.dk (Postfix) with ESMTP id 1F5FE2DDCDC; Sat, 12 Aug 2006 11:20:26 +0000 (UTC) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id 977811141D; Sat, 12 Aug 2006 13:20:25 +0200 (CEST) Date: Sat, 12 Aug 2006 13:20:25 +0200 From: "Simon L. Nielsen" To: Adrian Penisoara Message-ID: <20060812112024.GA1076@zaphod.nitro.dk> References: <20060810132435.GB2636@rabbit> <44DB9955.10102@FreeBSD.org> <20060810204943.GG2164@rabbit> <9e01a0da0608110010nb48e90fra21f149b836d32fa@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <9e01a0da0608110010nb48e90fra21f149b836d32fa@mail.gmail.com> User-Agent: Mutt/1.5.11 Cc: freebsd-isp@freebsd.org, freebsd-security@freebsd.org Subject: Re: Ports security [was: Ports/source dance] X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Aug 2006 11:20:28 -0000 On 2006.08.11 10:10:19 +0300, Adrian Penisoara wrote: > On 8/10/06, Mark Bucciarelli wrote: > > > >There's a scary security alert from yesterday out and no port > >update so I judged it to be isp-related. I looked for > >ports-security list but didn't see one. > > You know, that might be a very good ideea -- e.g. have a security team and > list for ports as we have one for the base distribution. There should be > enough volunteers. > > What would the FreeBSD security officer say about this ? I was not on freebsd-isp, so I hadn't seen the start of this thread. Ports security issues should go to either freebsd-ports@, freebsd-security@, or directly to the FreeBSD Security Team at secteam@FreeBSD.org, if you want to catch the attention of the Security Team. I don't currently see enough volume with regards to ports security issues to warrant a separate mailing list. I think using freebsd-security@ should be fine, and we can always create a new list if needed. With regards to a separate security team for ports, it has been discussed in the past, but so far hasn't been created mainly since it haven't been a problem for secteam members working on ports just being part of the "normal" secteam, while only/mostly working on ports issues. It would be very nice if more people helped out with the ports side of FreeBSD security, but when we had the last call for volunteers among committers there weren't a lot of people volunteering to help out with ports as part of the Security Team. That said, it's certainly no requirement to be a committer or to be part of secteam to help out. Just create VuXML entries [1] [2] and send them to freebsd-vuxml@FreeBSD.org or secteam@FreeBSD.org for review and commit, or fix issues and send patches as PR's where secteam is CC'ed. -- Simon L. Nielsen FreeBSD Deputy Security Officer