Date: Sat, 17 Aug 2024 09:26:43 +0200 From: Mathieu Arnold <mat@freebsd.org> To: Kevin Bowling <kevin.bowling@kev009.com> Cc: Gleb Popov <arrowd@freebsd.org>, Vladimir Druzenko <vvd@freebsd.org>, ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, dev-commits-ports-main@freebsd.org Subject: Re: git: 72dd8d2ee676 - main - mail/dovecot: update =?utf-8?Q?2?= =?utf-8?B?LjMuMjEg4oaS?= 2.3.21.1 (fixes 2 CVEs) Message-ID: <modpdqcgboxfbiu2fmwiunp6mntsr2rpwtbsjszdwbj3i7qtwh@glauhvjtgaho> In-Reply-To: <CAK7dMtBJ59N4PnrMVqbWA5=bBDpuuSdy6x2wTxTgBvd3dL=_Gg@mail.gmail.com> References: <202408161835.47GIZuZJ084942@gitrepo.freebsd.org> <CAK7dMtD6gZ0dHhu8edEs%2BH1wEdKbeE4%2B6L%2BRDCbBRuHj5WJ5fA@mail.gmail.com> <5b4df306-2998-4f98-b5fa-8bf168cd011a@freebsd.org> <CAK7dMtDpKJjLYheA77QY_5TKG2uEsLWtcGwSz%2Bqp4%2BNYuwDqNg@mail.gmail.com> <CALH631nO0v9-8MqsqJ2uY4KhquixJALteJ=-690hDRjhP=wEhA@mail.gmail.com> <CAK7dMtBJ59N4PnrMVqbWA5=bBDpuuSdy6x2wTxTgBvd3dL=_Gg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--uw7tjpnrdshbamvl Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Aug 17, 2024 at 12:15:54AM GMT, Kevin Bowling wrote: > On Fri, Aug 16, 2024 at 11:56=E2=80=AFPM Gleb Popov <arrowd@freebsd.org> = wrote: > > > > On Sat, Aug 17, 2024 at 1:03=E2=80=AFAM Kevin Bowling <kevin.bowling@ke= v009.com> wrote: > > > > > > You should seek help or abstain from doing security updates then. > > > > Is this a policy written somewhere? I don't see how not updating a > > VuXML entry is worse than not updating the vulnerable port itself. >=20 > Updating and forgetting or simply not knowing how to do something once > is fine. A refusal, if you aren't going to uphold the standard > comitter practices after being shown, maybe you should reconsider > whether you are the right person for the direct commit access and > filter it through review/PR so other committers can massage the > correct result. >=20 > I'm not really sure why this is turning into a discussion. The > request is standard practice for handling CVEs in the repo and a > courtesy to other committers and even more for users who rely on tools > like pkg audit and do not watch commit logs. Technically, it does not need to be a discussion. Maintaining the VuXML database is ports-secteam's job, it's in their charter. Now, ports-secteam has no members, so nobody is maintaining the VuXML database. Ports committers can update it, but they have absolutely no obligation to, it's on a best effort basis. If anyone want to join ports-secteam, I am sure it can be arranged. --=20 Mathieu Arnold --uw7tjpnrdshbamvl Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQITBAABCgB9FiEE9XJBpJetWizkEBUef2IOCp6dQb4FAmbAULJfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEY1 NzI0MUE0OTdBRDVBMkNFNDEwMTUxRTdGNjIwRTBBOUU5RDQxQkUACgkQf2IOCp6d Qb46swwA09vxIgHxqJth7AfGioO2ihSPME4FU1MY0TCuWhEDcdkxjb+6JFCQqKMy cgQN/VTe058yYd2aPImN1/8+jNdOWUWK9sYjvf87sirzoU2mozqQD9EfSwvA0QeR C/yzB1OtimjbHVuZgAbQ3ZtGUnoEHvnj0yuFxuoF3yVFRz3GflnkLtlpW39ST9It b45AvxlhesH+1fWywngT3jW/9Rhgea2qlOxDEwTBOZOmZ1FhNpPZtZMNOHbxQ0eT xoq0789qktpQnr3AxHbL8xaVhZ7NulKAtB2GSVh9vaRhL0gw0/fose5ttJkHYj6x xMNtN5zf4aF7mEHIGodAy1phCRh//IrqNlNqD2B6EfIjpvFEHOEIUgma2uNS89Lc 21FoZOXtAamuEnz5SBQZuj2DYDkMC39JpX99RJb/ONIgix7DLm3GQA4+/o9iu7vj YCF/PFbQ4dbVfE3ItVog/bxvDqgdYaYYlCLcnsQ0/GQbs4kshBqvgotMRetwhMUR HG1+8H/T =hURy -----END PGP SIGNATURE----- --uw7tjpnrdshbamvl--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?modpdqcgboxfbiu2fmwiunp6mntsr2rpwtbsjszdwbj3i7qtwh>