From owner-freebsd-ports@FreeBSD.ORG Fri May 29 21:15:46 2015 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7138EB30 for ; Fri, 29 May 2015 21:15:46 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: from mail-ie0-x22d.google.com (mail-ie0-x22d.google.com [IPv6:2607:f8b0:4001:c03::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3BB0C1543 for ; Fri, 29 May 2015 21:15:46 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: by iepj10 with SMTP id j10so72177602iep.3 for ; Fri, 29 May 2015 14:15:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=bnqBsAS973uFe3oAFmCx6pnl+F37gO4p+zIUVgYfC7Y=; b=utgMsqZAojw+uwOGcrpKE+GXyl5vMsi8ELd2znOaDFm5EWMzGOWK/sBzCNc12wqY7B kMraiobCVqPPFqmFmpFqj15nfixE3MQQ9bd3kBiFc+02u1Y6+HWaS5scBZa6rMGoZ7KV hnLYXeqlloeu5qhBR9s+tVWvWU6524FQjsUNg3Q2nFbWPxIVkNsuv83sCXkyFpKePFO4 ik/SRInhAAPdUwt+aoRRmoc6Ovyu3q1MkjTjIpP5e/FJ0Se43x4rNIvbo2RiFB4jdm0P To0tCq5lYRNqQlWrfOs66W7S1ZwLtmBbMOqCMqycgdm4IjzBYdYJIgf9XDtA5EuFey7l LxaQ== MIME-Version: 1.0 X-Received: by 10.50.23.116 with SMTP id l20mr6622543igf.13.1432934145247; Fri, 29 May 2015 14:15:45 -0700 (PDT) Received: by 10.36.121.86 with HTTP; Fri, 29 May 2015 14:15:45 -0700 (PDT) In-Reply-To: <556746A4.4090208@FreeBSD.org> References: <20150523153029.B7BD3280@hub.freebsd.org> <1432659389.3130746.278522905.6D1E6549@webmail.messagingengine.com> <20150527174037.EF719B11@hub.freebsd.org> <556746A4.4090208@FreeBSD.org> Date: Fri, 29 May 2015 17:15:45 -0400 Message-ID: Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo) From: Robert Simmons To: "freebsd-ports@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 May 2015 21:15:46 -0000 On Thu, May 28, 2015 at 12:47 PM, Bryan Drewery wrote: > I think the VUXML database needs to be simpler to contribute to. Only a > handful of committers feel comfortable touching the file. We have also > had the wrong pervasive mentality by committers and users that the vuxml > database should only have an entry if there is a committed fix. This is > totally wrong. These CVE are _already public_ in all of these cases. > Users deserve to know that there is a known issue with a package they > have installed. I can understand how the mentality grew to what it is > with some people, but the fact that there is not an update doesn't > change that the user's system is insecure and needs to be dealt with. If > the tool can't reliably report issues then it is not worth trusting. > TL;DR; the file needs to be simpler. I know there is an effort to use > CPE but I'm not too familiar with where it is going. > > As for maintainers tracking upstream mailing lists, this is hard. I'm > subscribed to a lot of lists and can't keep up with all of the traffic. > > The RedHat security team and reporting is very impressive. Don't forget > that they are a funded company though. Perhaps the FreeBSD Foundation > needs to fund a fulltime security officer that is devoted to both Ports > and Src. Just the Ports piece is easily a fulltime job. It seems from this thread that we have a group of people who are passionate enough about fixing this problem. How do we find out who the members of the Ports Secteam are? Once we know that, I'd say that at least some of the people on this thread are willing to join the Ports Secteam (myself included). How do we join the team? Once the team has new and energized members, I would envision the team then working through the problems that have been outlined in this thread and putting together a plan for fixing them.