From owner-svn-ports-head@FreeBSD.ORG  Mon Jun 17 10:03:13 2013
Return-Path: <owner-svn-ports-head@FreeBSD.ORG>
Delivered-To: svn-ports-head@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id 67263CF6;
 Mon, 17 Jun 2013 10:03:13 +0000 (UTC)
 (envelope-from remko.freebsd@gmail.com)
Received: from mail-qe0-f43.google.com (mail-qe0-f43.google.com
 [209.85.128.43])
 by mx1.freebsd.org (Postfix) with ESMTP id E893218A1;
 Mon, 17 Jun 2013 10:03:12 +0000 (UTC)
Received: by mail-qe0-f43.google.com with SMTP id q19so1529568qeb.16
 for <multiple recipients>; Mon, 17 Jun 2013 03:03:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:sender:in-reply-to:references:date
 :x-google-sender-auth:message-id:subject:from:to:cc:content-type;
 bh=MJpbjWyHskqCub/UFRZKiWL6HoJIqcv/+1JUtuQ2/Yk=;
 b=LtAvkT0ydRz67jhkA+mW3WQgxqW3C/taAzmmuKPGaWJ385MdNT+si9TsM2p/yNiL/7
 01ncGJqnQuzpZpv7IEtIy5SBKoarcYiT00y0CFyEMC2nU8caPNWtOf4U1B6tfnDAUwNR
 LXOFbpiInpS+6NOHtODJUZQX7SYVsgFZCEaccCIECcadDuOfpZbegU+YHnkOevuHJicu
 XLWlMsa8uG5Ta935yqtxuG89UIsJtbCPY2OZVl1FLoA5QXb6Fj2lmab1hWZD5LwlQmTS
 QAYeclT5OPZa9NI3EvZbd+QhCcIPpDuml4VU1HWPCbFMx1BbelQk6azFXXs0/yyJPDYI
 8B1g==
MIME-Version: 1.0
X-Received: by 10.224.137.137 with SMTP id w9mr15981661qat.11.1371463386520;
 Mon, 17 Jun 2013 03:03:06 -0700 (PDT)
Sender: remko.freebsd@gmail.com
Received: by 10.49.58.135 with HTTP; Mon, 17 Jun 2013 03:03:06 -0700 (PDT)
In-Reply-To: <E35BA0BD-766D-4E50-BFBF-A2DB089D8435@bsdhash.org>
References: <201306161247.r5GCloLW020616@svn.freebsd.org>
 <CAF6rxgm3x4VgGCnWBJC5SanViZuj1ZNQ-qfsZFgwiSmpBkvXuQ@mail.gmail.com>
 <CAGFTUwPZM4u6LYvx_rsF4My7tHPZKS3V_N2YO7ur29HQyesOsQ@mail.gmail.com>
 <CAF6rxgnC8hDDwTW9NxqCDs8YEYyFRLzzDm=g=94A5Fn6GdXveA@mail.gmail.com>
 <CAGFTUwP-_xJUTdj=hr7wM_BV-=Bo+ktE1ud6s3n1eBizjUH=fQ@mail.gmail.com>
 <CAF6rxgk1CF9SySZkdKykVvd9M8VfHm2oHvCFKX=zhZ=UznO8hw@mail.gmail.com>
 <E35BA0BD-766D-4E50-BFBF-A2DB089D8435@bsdhash.org>
Date: Mon, 17 Jun 2013 12:03:06 +0200
X-Google-Sender-Auth: MCfB12ZkM8p_gLJdPVeCpnWwEKM
Message-ID: <CAEAatoj_FsJKgrTN64T0bZQ2XEvOqMcUvhhOrbj_Lt9TP2HGag@mail.gmail.com>
Subject: Re: svn commit: r321045 - head/security/tor-devel
From: Remko Lodder <remko@FreeBSD.org>
To: Martin Wilke <miwi@bsdhash.org>
Content-Type: text/plain; charset=ISO-8859-1
X-Content-Filtered-By: Mailman/MimeDel 2.1.14
Cc: bf1783@gmail.com, svn-ports-head@freebsd.org, svn-ports-all@freebsd.org,
 Eitan Adler <eadler@freebsd.org>, ports-committers@freebsd.org
X-BeenThere: svn-ports-head@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: SVN commit messages for the ports tree for head
 <svn-ports-head.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-ports-head>,
 <mailto:svn-ports-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-head>
List-Post: <mailto:svn-ports-head@freebsd.org>
List-Help: <mailto:svn-ports-head-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-ports-head>,
 <mailto:svn-ports-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jun 2013 10:03:13 -0000

I think this would create severe overhead, any possible heap/buffer
overflow could fall under this. So unless there is an immediate risk
(severe) or CVE / advisory from some place, I also do not think we should
document these kind of things. -devel has the nature of being potentially
insecure and updated a lot (more then non-devel versions). People using
that should know that and keep themselves informed about the software they
are using.

//Remko


On Mon, Jun 17, 2013 at 12:58 AM, Martin Wilke <miwi@bsdhash.org> wrote:

>
> On Jun 17, 2013, at 2:50 AM, Eitan Adler <eadler@FreeBSD.ORG> wrote:
>
> > On Sun, Jun 16, 2013 at 8:17 PM, b.f. <bf1783@googlemail.com> wrote:
> >> On 6/16/13, Eitan Adler <eadler@freebsd.org> wrote:
> >>> On Sun, Jun 16, 2013 at 4:06 PM, b.f. <bf1783@googlemail.com> wrote:
> >>>> In this case no CVEs were issued
> >>>
> >>> This is odd.
> >>
> >> Not very, when you consider that this is development code, and not a
> >> stable release.  It would be absurd to think that every developer goes
> >> running to a CNA every time they find any problem in their repository.
> >
> > CVEs are given for beta releases (see CVE mailing lists for details).
> > I don't think debating this point is very important.
> >
> >
> >> Not
> >> every bug is found, fewer still are disclosed, and even fewer are
> >> reported to a CNA and given a CVE-ID.
> >
> > Agreed
> >
> >> The Tor developers are very conscientious when it comes to reporting
> >> bugs, even ones that are unlikely to be exploited. They often fix and
> >> report problems that would go undetected or undisclosed in other
> >> projects.  But only some of the most serious bugs are reported by the
> >> project or by others to a CNA.
> >
> > Understood.
> >
> > Back to the point at hand, I do think this should be documented in VuXML.
>
> I don't think so.  You are really getting annoying with telling people
> what there have to do..
>
> We never documented -devel and it should be never documented as brandan
> already pointed out its development code.
>
> - Martin
>
> >
> >
> > --
> > Eitan Adler
> > Source, Ports, Doc committer
> > Bugmeister, Ports Security teams
> >
>
> +-----------------oOO--(_)--OOo-------------------------+
> With best Regards,
>        Martin Wilke (miwi_(at)_FreeBSD.org)
>
> Mess with the Best, Die like the Rest
>
> _______________________________________________
> svn-ports-all@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/svn-ports-all
> To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
>