Date: Wed, 12 Oct 2005 18:32:36 +0200 From: Ivan Voras <ivoras@fer.hr> To: Mike Tancsa <mike@sentex.net> Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl Message-ID: <434D3AA4.1020000@fer.hr> In-Reply-To: <6.2.3.4.0.20051012101734.0675f208@64.7.153.2> References: <200510111202.j9BC2obf081876@freefall.freebsd.org> <434CBDC2.4070405@open-networks.net> <434CE0F1.6090400@htnet.hr> <20051012134440.GA17517@droopy.unibe.ch> <434D1A21.9040104@fer.hr> <6.2.3.4.0.20051012101734.0675f208@64.7.153.2>
next in thread | previous in thread | raw e-mail | index | archive | help
Mike Tancsa wrote: > At 10:13 AM 12/10/2005, Ivan Voras wrote: >> My idea is that there could maybe be some "core" ports, about 1500 or so, > > This sounds like a recipe for confusion. Some users have problems > distinguishing between whats in the base, and whats out of the ports. > Another type of "psudo base app" would just add to the confusion. User I agree that "core ports" is a very confusing name... maybe something like "ports with extended security support" :) > / admins need to take *some* responsibility for what is installed on > their system. Many ports are not very well maintained in the first > place and to say that the security team should be responsible for > another 1500 applications is not realistic. No, not the FreeBSD security team - I mentioned them only as a reference for "how long does it make sense to support a release". All ports that would get the extended support will HAVE to be supported by their respective maintainers/authors. Any port whose maintainer doesn't want to do it this way will automatically get kicked off the list. The reason why I think this would work is that I think that many widely-used applications (e.g.: apache, php, mysql, postgresql, perl, postfix) are well maintained by their authors and there would certainly be an audience among the maintainers themselves for such a thing. To summarize: - each release would tag the ports tree with RELENG_x_y - on that tag, certain ports would be supported security-wise by their maintainers for as long as RELENG_x_y itself is supported by the security team, being carefull to leave the same version of the port (or one that's 100% backward compatible). - other ports would not be supported/maintained, and will just be "frozen in time" by the CVS tag.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?434D3AA4.1020000>