Date: Fri, 14 Aug 2015 13:31:42 -0400 From: Mason Loring Bliss <mason@blisses.org> To: Mark Felder <feld@FreeBSD.org> Cc: freebsd-security@freebsd.org Subject: Re: Quarterly packages and security updates... Message-ID: <20150814173142.GK4093@blisses.org> In-Reply-To: <1439566064.3432937.356330361.6E353C63@webmail.messagingengine.com> References: <20150813202007.GC4093@blisses.org> <1439566064.3432937.356330361.6E353C63@webmail.messagingengine.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Aug 14, 2015 at 10:27:44AM -0500, Mark Felder wrote: > You should not see vulnerable packages in the quarterly branch unless > there is no public fix available. If you come across this type of > situation where it is fixed in HEAD but not in the quarterly branch > please email the maintainer and ports-secteam@ ASAP. Sounds reasonable. > I can't speak to subversion at the moment My next email noted that I had held back Subversion intentionally, so that one was my fault. > Quarterly branch has 40.0_4,1 which I linked above (r394030), so this > does not apply either. Now, THAT is cheating. Firefox wasn't updated in the quarterly branch until *after* I pointed it out on the list. > The packages are there, so I don't understand how you observe these > packages to still be vulnerable. How about, two of them were vulnerable until I wrote to the list with the dismaying thought that we were going to ship vulnerable packages, at which point someone with the ability to push packages around decided to fix them...? That said, I will happily use the mechanisms you noted if I see this sort of situation in the future, and I am sincerely, deeply grateful that the high- profile stuff I pointed out was fixed so rapidly in response to my pointing it out. -- Mason Loring Bliss (( If I have not seen as far as others, it is because mason@blisses.org )) giants were standing on my shoulders. - Hal Abelson
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150814173142.GK4093>