Date: Mon, 2 Apr 2018 09:50:05 -0700 From: Mel Pilgrim <list_freebsd@bluerosetech.com> To: Freebsd Ports <freebsd-ports@freebsd.org> Subject: How to get timely MFH of security commits? Message-ID: <3757bd87-a536-c3ae-ef71-1a68fe6c3e45@bluerosetech.com>
next in thread | raw e-mail | index | archive | help
The update to net/samba4{5,6,7} addressing CVEs went to head on March
13. The security/openssl update to 1.0.2o was committed to head with
MFH 2018Q1 explicitly asked for in the commit message. In both cases,
2018Q1 expired before the MFH happened.
Last year, r453380 updated security/openssl in head to 1.0.2m the same
day it was available upstream. The commit was flagged MFH 2017Q4, but
it took opening a bug asking for the MFH three weeks later.
Delays like this mean that, for the vast majority of users, security
fixes are delayed by up to three months.
Is there a process hindering security merges?
Can those of us who aren't committers do anything to help improve this
process?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3757bd87-a536-c3ae-ef71-1a68fe6c3e45>