From owner-freebsd-security@FreeBSD.ORG Thu Mar 18 06:00:44 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3C86516A4CE for ; Thu, 18 Mar 2004 06:00:44 -0800 (PST) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id EBB4543D31 for ; Thu, 18 Mar 2004 06:00:43 -0800 (PST) (envelope-from nectar@celabo.org) Received: from localhost (localhost [127.0.0.1]) by gw.celabo.org (Postfix) with ESMTP id 697625482B; Thu, 18 Mar 2004 08:00:43 -0600 (CST) Received: from gw.celabo.org ([127.0.0.1]) by localhost (hellblazer.celabo.org [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 49629-05; Thu, 18 Mar 2004 08:00:32 -0600 (CST) Received: from lum.celabo.org (lum.celabo.org [10.0.1.107]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "lum.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 9E78A54846; Thu, 18 Mar 2004 08:00:32 -0600 (CST) Received: by lum.celabo.org (Postfix, from userid 501) id 2B24D1699BD; Thu, 18 Mar 2004 07:59:58 -0600 (CST) Date: Thu, 18 Mar 2004 07:59:57 -0600 From: "Jacques A. Vidrine" To: Tobias Roth Message-ID: <20040318135957.GC11791@lum.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Tobias Roth , "Peter C. Lai" , security@freebsd.org References: <20040317070051.GC716@cowbert.2y.net> <20040318082810.GA21089@speedy.unibe.ch> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040318082810.GA21089@speedy.unibe.ch> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i cc: security@freebsd.org Subject: Re: portaudit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Mar 2004 14:00:44 -0000 On Thu, Mar 18, 2004 at 09:28:10AM +0100, Tobias Roth wrote: > On Wed, Mar 17, 2004 at 02:00:51AM -0500, Peter C. Lai wrote: > > > > Seeing as > > the security officer apparently (without announcement) no longer issues > > security notices (SNs) for ports > > > is this true? no more advisories concerning ports? Advisories concerning ports have not been published for about two years. Most ports issues were very minor, and we wished to reserve advisories for issues affecting all FreeBSD systems--- i.e., software in the base system. The Security Notices were experimentally published to help keep users informed about non-FreeBSD vulnerabilities in packages in the Ports Collection. However, I am sorry to say, that the experiment failed: there were few contributions to security notices, and I was not able to effectively produce them on my own. Thus, I recently created the Vulnerabilities and eXposures Markup Language (VuXML), a format for documenting the vulnerabilities in a software collection such as the FreeBSD Ports Collection. Any ports committer may create entries; any FreeBSD contributor may send-pr entries. Over time, it is expected that ports maintainers will be primarily responsible for tracking security issues in their ports, although the security officer will always act as `Editor' and often add entries also. In this fashion, we should be able to keep users informed of issues in all of our 10,000+ ports. There is still some tweaking going on, but VuXML (and any tools using it, like `portaudit') will be featured in an `official' announcement within a few weeks. Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org