Date: Fri, 29 May 2015 17:15:45 -0400 From: Robert Simmons <rsimmons0@gmail.com> To: "freebsd-ports@freebsd.org" <freebsd-ports@freebsd.org> Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo) Message-ID: <CA%2BQLa9APLhpyKkP4N5S9djniWMYfE4nA6K4acmtVBdvfHi_MoA@mail.gmail.com> In-Reply-To: <556746A4.4090208@FreeBSD.org> References: <alpine.BSF.2.11.1505171402430.52815@eboyr.pbz> <20150523153029.B7BD3280@hub.freebsd.org> <1432659389.3130746.278522905.6D1E6549@webmail.messagingengine.com> <20150527174037.EF719B11@hub.freebsd.org> <556746A4.4090208@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, May 28, 2015 at 12:47 PM, Bryan Drewery <bdrewery@freebsd.org> wrote: > I think the VUXML database needs to be simpler to contribute to. Only a > handful of committers feel comfortable touching the file. We have also > had the wrong pervasive mentality by committers and users that the vuxml > database should only have an entry if there is a committed fix. This is > totally wrong. These CVE are _already public_ in all of these cases. > Users deserve to know that there is a known issue with a package they > have installed. I can understand how the mentality grew to what it is > with some people, but the fact that there is not an update doesn't > change that the user's system is insecure and needs to be dealt with. If > the tool can't reliably report issues then it is not worth trusting. > TL;DR; the file needs to be simpler. I know there is an effort to use > CPE but I'm not too familiar with where it is going. > > As for maintainers tracking upstream mailing lists, this is hard. I'm > subscribed to a lot of lists and can't keep up with all of the traffic. > > The RedHat security team and reporting is very impressive. Don't forget > that they are a funded company though. Perhaps the FreeBSD Foundation > needs to fund a fulltime security officer that is devoted to both Ports > and Src. Just the Ports piece is easily a fulltime job. It seems from this thread that we have a group of people who are passionate enough about fixing this problem. How do we find out who the members of the Ports Secteam are? Once we know that, I'd say that at least some of the people on this thread are willing to join the Ports Secteam (myself included). How do we join the team? Once the team has new and energized members, I would envision the team then working through the problems that have been outlined in this thread and putting together a plan for fixing them.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2BQLa9APLhpyKkP4N5S9djniWMYfE4nA6K4acmtVBdvfHi_MoA>