Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 2 Apr 2018 09:50:05 -0700
From:      Mel Pilgrim <list_freebsd@bluerosetech.com>
To:        Freebsd Ports <freebsd-ports@freebsd.org>
Subject:   How to get timely MFH of security commits?
Message-ID:  <3757bd87-a536-c3ae-ef71-1a68fe6c3e45@bluerosetech.com>

next in thread | raw e-mail | index | archive | help
The update to net/samba4{5,6,7} addressing CVEs went to head on March 
13.  The security/openssl update to 1.0.2o was committed to head with 
MFH 2018Q1 explicitly asked for in the commit message.  In both cases, 
2018Q1 expired before the MFH happened.

Last year, r453380 updated security/openssl in head to 1.0.2m the same 
day it was available upstream.  The commit was flagged MFH 2017Q4, but 
it took opening a bug asking for the MFH three weeks later.

Delays like this mean that, for the vast majority of users, security 
fixes are delayed by up to three months.

Is there a process hindering security merges?

Can those of us who aren't committers do anything to help improve this 
process?



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3757bd87-a536-c3ae-ef71-1a68fe6c3e45>