From owner-freebsd-security@freebsd.org Sun Dec 16 20:20:37 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 002CF1339E3F; Sun, 16 Dec 2018 20:20:36 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [209.237.23.5]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 54C03956BB; Sun, 16 Dec 2018 20:20:36 +0000 (UTC) (envelope-from marquis@roble.com) Received: from roble.com (roble.com [209.237.23.50]) by mx5.roble.com (Postfix) with ESMTP id 9332867B54; Sun, 16 Dec 2018 12:20:34 -0800 (PST) Date: Sun, 16 Dec 2018 12:20:34 -0800 (PST) From: Roger Marquis To: Remko Lodder cc: freebsd-security@freebsd.org, ports-secteam@FreeBSD.org Subject: Re: SQLite vulnerability In-Reply-To: <473172DA-7F1E-42EB-8E0B-53122E13E84E@elvandar.org> Message-ID: References: <473172DA-7F1E-42EB-8E0B-53122E13E84E@elvandar.org> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-Rspamd-Queue-Id: 54C03956BB X-Spamd-Bar: +++ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [3.63 / 15.00]; ARC_NA(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; NEURAL_SPAM_SHORT(0.80)[0.796,0]; FROM_HAS_DN(0.00)[]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[roble.com]; AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(0.99)[0.989,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[cached: mx4.roble.com]; NEURAL_SPAM_LONG(0.97)[0.968,0]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:17403, ipnet:209.237.0.0/18, country:US]; RCVD_COUNT_TWO(0.00)[2]; IP_SCORE(-0.02)[country: US(-0.08)] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Dec 2018 20:20:37 -0000 > It?s sad to see that you are still as negative as you where not that long > ago. Apologies for being negative Remko, but isn't it the implications for those running FreeBSD that are negative rather than someone pointing them out? Or do we have different interpretations of the scope or threat profile of this particular issue? (considering that sqlite has been installed by default on every FreeBSD host and jail for a few years now) > I said before that If you rely on the information being up to date, you > should sponsor the FF or pay someone to do the work for you. You keep > forgetting that we (security-officer@ and ports-secteam@) are volunteers > and that we do this in our free spare time. This is a good answer to my question regarding what might be done to address the gap in reporting. I am in no position to financially sponsor anyone but certainly the FreeBSD Foundation is. Maybe someone from the board could weigh-in regarding the feasibility of funding this critical function? According to more than $3M is available, a small portion of which, if applied on an ongoing basis, would bring FreeBSD up to the 3rd party application security standards of its competitors (Android aside) and make the OS infinitely easier for us to advocate, admin and develop for. On that note, does anyone on this list have experience applying for FreeBSD Foundation grants? If so please contact me off-list. OTOH it may also be a matter of team size and/or policies that would be more effective in the short term. Would be great if other sec team and or board members could comment (ideally without shooting the messenger). > I do not think the others need to step in for this one, your constant > negative attitude towards our ports-secteam people is getting annoying and > a waste of our precious time. So either start sending patches, contribute, > or understand that this is voluntarily and that their priorities might not > be your priority. I don't know Remko. It seems like too far-reaching of an issue to ignore. Most of us don't see it as negative or positive but simply a means of keeping end-users safe and making everyone's contribution to the project more effective. Roger Marquis