Ports security [was: Ports/source dance]

[Simon L. Nielsen]

On 2006.08.11 10:10:19 +0300, Adrian Penisoara wrote:
> On 8/10/06, Mark Bucciarelli <mark at gaiahost.coop> wrote:
> >
> >There's a scary security alert from yesterday out and no port
> >update so I judged it to be isp-related.  I looked for
> >ports-security list but didn't see one.
>
> You know, that might be a very good ideea -- e.g. have a security team and
> list for ports as we have one for the base distribution. There should be
> enough volunteers.
> 
> What would the FreeBSD security officer say about this ?

I was not on freebsd-isp, so I hadn't seen the start of this thread.

Ports security issues should go to either freebsd-ports@,
freebsd-security@, or directly to the FreeBSD Security Team at
secteam at FreeBSD.org, if you want to catch the attention of the
Security Team.

I don't currently see enough volume with regards to ports security
issues to warrant a separate mailing list.  I think using
freebsd-security@ should be fine, and we can always create a new list
if needed.

With regards to a separate security team for ports, it has been
discussed in the past, but so far hasn't been created mainly since it
haven't been a problem for secteam members working on ports just being
part of the "normal" secteam, while only/mostly working on ports
issues.

It would be very nice if more people helped out with the ports side of
FreeBSD security, but when we had the last call for volunteers among
committers there weren't a lot of people volunteering to help out with
ports as part of the Security Team.

That said, it's certainly no requirement to be a committer or to be
part of secteam to help out.  Just create VuXML entries [1] [2] and
send them to freebsd-vuxml at FreeBSD.org or secteam at FreeBSD.org for
review and commit, or fix issues and send patches as PR's where
secteam is CC'ed.

-- 
Simon L. Nielsen
FreeBSD Deputy Security Officer