Date: Tue, 05 Dec 2017 12:47:21 +0100 From: "Vlad K." <vlad-fbsd@acheronmedia.com> To: freebsd-ports@freebsd.org Subject: Re: Missing fixes for various ports in Q4 branch? Message-ID: <e57c160ea9e9dc5a3b84930d917db580@acheronmedia.com> In-Reply-To: <3A3D1671-936D-4BE7-9B6F-E73E3BA81A06@punkt.de> References: <0C45356F-037F-4BF8-8222-0F82879F6A5D@punkt.de> <20171205105529.GR2827@home.opsec.eu> <94AC4DE0-78AB-4EB4-BE43-682D2CCEDB9B@punkt.de> <3A3D1671-936D-4BE7-9B6F-E73E3BA81A06@punkt.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2017-12-05 12:32, Patrick M. Hausen wrote: > > We relied on just updating the branch every night and running > poudriere ... looks > like I should implement something around pkg audit that sends us daily > status > reports. Yes, but note that pkgaudit depends on VuXML which is also not up to date (it's on the best effort basis just like MFH). There's some effort going on to automate CVE entries, but until that's implemented (and if at all, as automation depends on CPE which many ports do not have), I'd suggest tracking CVEs independently in order to be best informed. Following linux distros secvuln announcements (Canonical's, RedHat's, Debian's) is a good start, so is being subscribed to oss-seclist, and of course the NVD or Mitre feeds themselves. * https://usn.ubuntu.com/usn/rss.xml * https://www.debian.org/security/dsa * https://cve.mitre.org/ It'd be very helpful if bug reports would be filed on FreeBSD's bugzilla (https://bugs.freebsd.org) tagged with keyword "security" if any undocumented vulns (not submitted to VuXML) are found. -- Vlad K.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?e57c160ea9e9dc5a3b84930d917db580>