From owner-freebsd-security@freebsd.org Fri Aug 14 17:31:46 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0692E9B868A for ; Fri, 14 Aug 2015 17:31:46 +0000 (UTC) (envelope-from mason@blisses.org) Received: from phlegethon.blisses.org (phlegethon.blisses.org [50.56.97.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DF0F51682; Fri, 14 Aug 2015 17:31:45 +0000 (UTC) (envelope-from mason@blisses.org) Received: from blisses.org (cocytus.blisses.org [23.25.209.73]) by phlegethon.blisses.org (Postfix) with ESMTPSA id 8382A149163; Fri, 14 Aug 2015 13:31:44 -0400 (EDT) Date: Fri, 14 Aug 2015 13:31:42 -0400 From: Mason Loring Bliss To: Mark Felder Cc: freebsd-security@freebsd.org Subject: Re: Quarterly packages and security updates... Message-ID: <20150814173142.GK4093@blisses.org> References: <20150813202007.GC4093@blisses.org> <1439566064.3432937.356330361.6E353C63@webmail.messagingengine.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1439566064.3432937.356330361.6E353C63@webmail.messagingengine.com> User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Aug 2015 17:31:46 -0000 On Fri, Aug 14, 2015 at 10:27:44AM -0500, Mark Felder wrote: > You should not see vulnerable packages in the quarterly branch unless > there is no public fix available. If you come across this type of > situation where it is fixed in HEAD but not in the quarterly branch > please email the maintainer and ports-secteam@ ASAP. Sounds reasonable. > I can't speak to subversion at the moment My next email noted that I had held back Subversion intentionally, so that one was my fault. > Quarterly branch has 40.0_4,1 which I linked above (r394030), so this > does not apply either. Now, THAT is cheating. Firefox wasn't updated in the quarterly branch until *after* I pointed it out on the list. > The packages are there, so I don't understand how you observe these > packages to still be vulnerable. How about, two of them were vulnerable until I wrote to the list with the dismaying thought that we were going to ship vulnerable packages, at which point someone with the ability to push packages around decided to fix them...? That said, I will happily use the mechanisms you noted if I see this sort of situation in the future, and I am sincerely, deeply grateful that the high- profile stuff I pointed out was fixed so rapidly in response to my pointing it out. -- Mason Loring Bliss (( If I have not seen as far as others, it is because mason@blisses.org )) giants were standing on my shoulders. - Hal Abelson