From owner-freebsd-security@FreeBSD.ORG Tue Jun 9 09:55:40 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 49FFBAC8 for ; Tue, 9 Jun 2015 09:55:40 +0000 (UTC) (envelope-from remko@freebsd.org) Received: from smtp-out.elvandar.org (smtp-out.elvandar.org [IPv6:2a01:7c8:aaba:ae::2]) by mx1.freebsd.org (Postfix) with ESMTP id ED226186E for ; Tue, 9 Jun 2015 09:55:39 +0000 (UTC) (envelope-from remko@freebsd.org) Received: from gandalf.elvandar.org (localhost [127.0.0.1]) by smtp-out.elvandar.org (Postfix) with ESMTP id 4BF822C1923; Tue, 9 Jun 2015 11:55:31 +0200 (CEST) Received: from smtp-out.elvandar.org ([149.210.225.204]) by gandalf.elvandar.org (gandalf.elvandar.org [127.0.0.1]) (amavisd-new, port 10024) with LMTP id bMgldmwMnpgl; Tue, 9 Jun 2015 11:55:28 +0200 (CEST) Received: from mail1.elvandar.org (a44084.upc-a.chello.nl [62.163.44.84]) by smtp-out.elvandar.org (Postfix) with ESMTP id CE1782C1809; Tue, 9 Jun 2015 11:55:27 +0200 (CEST) DMARC-Filter: OpenDMARC Filter v1.3.1 smtp-out.elvandar.org CE1782C1809 Authentication-Results: smtp-out.elvandar.org/CE1782C1809; dmarc=none header.from=freebsd.org Received: from openexchange.elvandar.org (a44084.upc-a.chello.nl [62.163.44.84]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail1.elvandar.org (Postfix) with ESMTPSA id 82D9D60605; Tue, 9 Jun 2015 11:55:27 +0200 (CEST) DMARC-Filter: OpenDMARC Filter v1.3.1 mail1.elvandar.org 82D9D60605 Authentication-Results: mail1.elvandar.org/82D9D60605; dmarc=none header.from=freebsd.org Date: Tue, 9 Jun 2015 11:56:08 +0200 (CEST) From: Remko Lodder Reply-To: Remko Lodder To: freebsd-security , Robert Simmons Message-ID: <1062935246.137.1433843768796.JavaMail.open-xchange@openexchange.elvandar.org> In-Reply-To: References: <557625CA.8030206@delphij.net> Subject: Re: Ports Secteam MIME-Version: 1.0 X-Priority: 3 Importance: Medium X-Mailer: Open-Xchange Mailer v7.6.2-Rev12 X-Originating-Client: open-xchange-appsuite Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Jun 2015 09:55:40 -0000 Hi, > > On June 9, 2015 at 1:59 AM Robert Simmons wrote: > > > On Mon, Jun 8, 2015 at 7:31 PM, Xin Li wrote: > > On 06/08/15 14:37, Robert Simmons wrote: > >> I'm sure that the reason these questions have not been answered is > >> simply because they may have gotten lost in the volume of traffic > >> on freebsd-ports. In the following thread, there are a number of > >> folks with enough passion to volunteer time to help with the Ports > >> Secteam, but we're having difficulty getting a few basic questions > >> answered. > >> https://lists.freebsd.org/pipermail/freebsd-ports/2015-May/099268.html > >> > >> Here are the basic questions: > >> > >> Who are the members of the Ports Secteam? > > > > Current members include the current security officers (who act as a > > fallback when needed and a contact for liaison for sensitive and > > embargoed information) and: > > > > Eitan Adler (eadler@); > > Jason Helfman (jgh@); > > Martin Wilke (miwi@); > > Eygene Ryabinkin (rea@); > > Sofian Brabez (sbz@); > > Simon L. B. Nielsen (simon@, clusteradm@ liaison); > > Steve Wills (swills@); > > Wesley Shields (wxs@); > > Ryan Steinmetz (zi@); > > > >> How does one join the Ports Secteam? > > > > Per previous discussion with portmgr@, members are volunteers selected > > by the Security Officer from active ports committers who have made > > commits in the ports tree in the last 90 days. > > Excellent. Thanks for the quick reply! > > So, if membership requires committership, what is the next best way to > help the team? > _______________________________________________ > I think that actively sending patches would help in getting in information sooner. A PR with the patch would greatly assist in that. Cheers Remko From owner-freebsd-security@FreeBSD.ORG Wed Jun 10 05:30:33 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 39758ADE for ; Wed, 10 Jun 2015 05:30:33 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0D8E419E7 for ; Wed, 10 Jun 2015 05:30:32 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 124FB20D91 for ; Wed, 10 Jun 2015 01:30:25 -0400 (EDT) Received: from web4 ([10.202.2.214]) by compute3.internal (MEProxy); Wed, 10 Jun 2015 01:30:25 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=U0/HjppGXVpi4xJ zf0W2srOI2Ho=; b=M08YZhQEvvOVGRke5AnY7Tbb4fJSwPhSA82jfTVOJg9/yPa NZNib8D+i51/QtvGtckzf6p0Yml9To4F0+5DYXXm0e+hDfnVeg3z46EPBvmzD1oL /RTFOmqbnkkDVd1I4g074BwGSfXWs8uHe9CHwrmS0PraivZNyFp7pbj8Amfo= Received: by web4.nyi.internal (Postfix, from userid 99) id DC12F10D65B; Wed, 10 Jun 2015 01:30:24 -0400 (EDT) Message-Id: <1433914224.244626.291502609.0C780DD0@webmail.messagingengine.com> X-Sasl-Enc: d+q1HnBX1u9iNcucQYayOyvTgpF+ITVmWE2CAK/5jtV7 1433914224 From: Mark Felder To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-ff004c4b In-Reply-To: <557625CA.8030206@delphij.net> References: <557625CA.8030206@delphij.net> Subject: Re: Ports Secteam Date: Wed, 10 Jun 2015 00:30:24 -0500 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jun 2015 05:30:33 -0000 On Mon, Jun 8, 2015, at 18:31, Xin Li wrote: > > On 06/08/15 14:37, Robert Simmons wrote: > > I'm sure that the reason these questions have not been answered is > > simply because they may have gotten lost in the volume of traffic > > on freebsd-ports. In the following thread, there are a number of > > folks with enough passion to volunteer time to help with the Ports > > Secteam, but we're having difficulty getting a few basic questions > > answered. > > https://lists.freebsd.org/pipermail/freebsd-ports/2015-May/099268.html > > > > Here are the basic questions: > > > > Who are the members of the Ports Secteam? > > Current members include the current security officers (who act as a > fallback when needed and a contact for liaison for sensitive and > embargoed information) and: > > Eitan Adler (eadler@); > Jason Helfman (jgh@); > Martin Wilke (miwi@); > Eygene Ryabinkin (rea@); > Sofian Brabez (sbz@); > Simon L. B. Nielsen (simon@, clusteradm@ liaison); > Steve Wills (swills@); > Wesley Shields (wxs@); > Ryan Steinmetz (zi@); > > > How does one join the Ports Secteam? > > Per previous discussion with portmgr@, members are volunteers selected > by the Security Officer from active ports committers who have made > commits in the ports tree in the last 90 days. > miwi stepped down 7 months ago. His name on this list is a huge red flag that there is a lack of care and feeding for this team. As long as my script isn't broken, here are the number of commits from March 1st through June 1st by each committer in that list: eadler: 6 jgh: 49 miwi: 0 rea: 5 sbz: 2 simon: 0 swills: 117 wxs: 1 zi: 64 There's an obvious lack of activity in that list and I would expect participation in ports-secteam duties to be closely monitored and have members rotated out if they take time away. My participation in the ports tree has been rather sporadic lately, but the script I used indicates I've 85 commits in that time period. However, I'm not sure "number of commits" is necessarily a valuable metric when considering candidates... How do we make the ports-secteam effective again? Team members? Infrastructure? New documentation and procedures?