From owner-freebsd-ports@freebsd.org  Mon Apr  2 16:50:13 2018
Return-Path: <owner-freebsd-ports@freebsd.org>
Delivered-To: freebsd-ports@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 63AA5F76F50
 for <freebsd-ports@mailman.ysv.freebsd.org>;
 Mon,  2 Apr 2018 16:50:13 +0000 (UTC)
 (envelope-from melissa@bluerosetech.com)
Received: from echo.brtsvcs.net (echo.brtsvcs.net [IPv6:2607:f740:c::4ae])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 06D1E86EB3
 for <freebsd-ports@freebsd.org>; Mon,  2 Apr 2018 16:50:12 +0000 (UTC)
 (envelope-from melissa@bluerosetech.com)
Received: from chombo.houseloki.net (c-73-240-250-185.hsd1.or.comcast.net
 [73.240.250.185])
 by echo.brtsvcs.net (Postfix) with ESMTPS id 6450538D0C
 for <freebsd-ports@freebsd.org>; Mon,  2 Apr 2018 09:50:05 -0700 (PDT)
Received: from [IPv6:fe80::7102:4df8:1f13:5c55] (unknown
 [IPv6:fe80::7102:4df8:1f13:5c55])
 by chombo.houseloki.net (Postfix) with ESMTPSA id D9B9FC39
 for <freebsd-ports@freebsd.org>; Mon,  2 Apr 2018 09:50:04 -0700 (PDT)
To: Freebsd Ports <freebsd-ports@freebsd.org>
From: Mel Pilgrim <list_freebsd@bluerosetech.com>
Subject: How to get timely MFH of security commits?
Message-ID: <3757bd87-a536-c3ae-ef71-1a68fe6c3e45@bluerosetech.com>
Date: Mon, 2 Apr 2018 09:50:05 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101
 Thunderbird/52.6.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Apr 2018 16:50:13 -0000

The update to net/samba4{5,6,7} addressing CVEs went to head on March 
13.  The security/openssl update to 1.0.2o was committed to head with 
MFH 2018Q1 explicitly asked for in the commit message.  In both cases, 
2018Q1 expired before the MFH happened.

Last year, r453380 updated security/openssl in head to 1.0.2m the same 
day it was available upstream.  The commit was flagged MFH 2017Q4, but 
it took opening a bug asking for the MFH three weeks later.

Delays like this mean that, for the vast majority of users, security 
fixes are delayed by up to three months.

Is there a process hindering security merges?

Can those of us who aren't committers do anything to help improve this 
process?