From owner-freebsd-questions@freebsd.org Mon Nov 27 20:11:56 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 65103DE6867 for ; Mon, 27 Nov 2017 20:11:56 +0000 (UTC) (envelope-from rplace@vivaldi.net) Received: from mail.vivaldi.net (mail.vivaldi.net [82.221.99.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 25F043202 for ; Mon, 27 Nov 2017 20:11:56 +0000 (UTC) (envelope-from rplace@vivaldi.net) Received: from localhost (localhost [127.0.0.1]) by mail.vivaldi.net (Postfix) with ESMTP id 24F6F3BA; Mon, 27 Nov 2017 20:11:58 +0000 (GMT) X-Virus-Scanned: Debian amavisd-new at vivaldi.net Received: from mail.vivaldi.net ([127.0.0.1]) by localhost (mail.vivaldi.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LRPWaxvUfDCD; Mon, 27 Nov 2017 20:11:56 +0000 (GMT) Received: from 03c0.comcast.net (c-71-193-191-101.hsd1.or.comcast.net [71.193.191.101]) (Authenticated sender: rplace) by mail.vivaldi.net (Postfix) with ESMTPSA id 42EE337A; Mon, 27 Nov 2017 20:11:55 +0000 (GMT) Date: Mon, 27 Nov 2017 20:11:32 +0000 From: rplace To: freebsd-questions@freebsd.org Cc: Ben Woods Subject: Re: why pkgs with =?utf-8?Q?vulnerabilitie?= =?utf-8?Q?s_on_quarterly_aren=E2=80=99t?= updated Message-ID: <20171127201130.GA1022@03c0.comcast.net> Mail-Followup-To: freebsd-questions@freebsd.org, Ben Woods References: <20171125162116.GA7147@03c0.comcast.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Nov 2017 20:11:56 -0000 On Sun, Nov 26, 2017 at 12:48:41AM +0000, Ben Woods wrote: > Quartlery branches are definitely supposed to receive security updates. > Sometime people forget, and if this is the case you absolutely should > remind them. Ideally this would just be the minimal update to address the > vulnerability, without bringing new features. However, patches do not > always exist, and sometime this is not easy. > > Where security issues have been addressed in the head branch, but not the > quarterly branch, I recommend: > - checking if the commit to head had a MFH request (merge from head)... > perhaps the committer is just waiting for the approval to merge the commit > to quarterly. > - if there was a bug report, check if it has been closed or if it is still > open awaiting the MFH (there is a flag in bugzilla that can be set to show > this is the status). > - if a number of days (closer to a week) has passed since it was addressed > in head and it still hasn’t been addressed in quarterly, or there was no > MFH commentary to suggest it would be addressed in quarterly, then I > suggest either commenting on the bug report that was related to the commit > to state the MFH has been forgotten (reopen the bug), or raise a new bug > report, ensuring that the person who made the commit to head gets > automatically assigned as the assignee after raising or add them to the CC > list manually. Thanks. The maintainer for firefox-esr said that the MFH was denied by the relevant authority, ports-secteam or something like that. I presume it wanted new versions of libraries or something. It became clear to me that quarterly is all right for a professional system running some services, but that latest becomes necessary for a personal machine.