Date: Fri, 29 May 2015 15:00:49 -0700 (PDT) From: Don Lewis <truckman@FreeBSD.org> To: rsimmons0@gmail.com Cc: freebsd-ports@FreeBSD.org Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo) Message-ID: <201505292200.t4TM0nJI073864@gw.catspoiler.org> In-Reply-To: <CA%2BQLa9APLhpyKkP4N5S9djniWMYfE4nA6K4acmtVBdvfHi_MoA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 29 May, Robert Simmons wrote: > On Thu, May 28, 2015 at 12:47 PM, Bryan Drewery <bdrewery@freebsd.org> wrote: >> I think the VUXML database needs to be simpler to contribute to. Only a >> handful of committers feel comfortable touching the file. We have also >> had the wrong pervasive mentality by committers and users that the vuxml >> database should only have an entry if there is a committed fix. This is >> totally wrong. These CVE are _already public_ in all of these cases. >> Users deserve to know that there is a known issue with a package they >> have installed. I can understand how the mentality grew to what it is >> with some people, but the fact that there is not an update doesn't >> change that the user's system is insecure and needs to be dealt with. If >> the tool can't reliably report issues then it is not worth trusting. >> TL;DR; the file needs to be simpler. I know there is an effort to use >> CPE but I'm not too familiar with where it is going. >> >> As for maintainers tracking upstream mailing lists, this is hard. I'm >> subscribed to a lot of lists and can't keep up with all of the traffic. >> >> The RedHat security team and reporting is very impressive. Don't forget >> that they are a funded company though. Perhaps the FreeBSD Foundation >> needs to fund a fulltime security officer that is devoted to both Ports >> and Src. Just the Ports piece is easily a fulltime job. > > It seems from this thread that we have a group of people who are > passionate enough about fixing this problem. > > How do we find out who the members of the Ports Secteam are? Once we > know that, I'd say that at least some of the people on this thread are > willing to join the Ports Secteam (myself included). How do we join > the team? Ports Secteam really should be documented here: <https://www.freebsd.org/administration.html>, but it is not.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201505292200.t4TM0nJI073864>