New pkg audit / vuln.xml failures (php55, unzoo)

Robert Simmons rsimmons0 at gmail.com
Tue Jun 2 15:12:13 UTC 2015


On Fri, May 29, 2015 at 5:15 PM, Robert Simmons <rsimmons0 at gmail.com> wrote:
> On Thu, May 28, 2015 at 12:47 PM, Bryan Drewery <bdrewery at freebsd.org> wrote:
>> I think the VUXML database needs to be simpler to contribute to. Only a
>> handful of committers feel comfortable touching the file. We have also
>> had the wrong pervasive mentality by committers and users that the vuxml
>> database should only have an entry if there is a committed fix. This is
>> totally wrong. These CVE are _already public_ in all of these cases.
>> Users deserve to know that there is a known issue with a package they
>> have installed. I can understand how the mentality grew to what it is
>> with some people, but the fact that there is not an update doesn't
>> change that the user's system is insecure and needs to be dealt with. If
>> the tool can't reliably report issues then it is not worth trusting.
>> TL;DR; the file needs to be simpler. I know there is an effort to use
>> CPE but I'm not too familiar with where it is going.
>>
>> As for maintainers tracking upstream mailing lists, this is hard. I'm
>> subscribed to a lot of lists and can't keep up with all of the traffic.
>>
>> The RedHat security team and reporting is very impressive. Don't forget
>> that they are a funded company though. Perhaps the FreeBSD Foundation
>> needs to fund a fulltime security officer that is devoted to both Ports
>> and Src. Just the Ports piece is easily a fulltime job.
>
> It seems from this thread that we have a group of people who are
> passionate enough about fixing this problem.
>
> How do we find out who the members of the Ports Secteam are? Once we
> know that, I'd say that at least some of the people on this thread are
> willing to join the Ports Secteam (myself included). How do we join
> the team?
>
> Once the team has new and energized members, I would envision the team
> then working through the problems that have been outlined in this
> thread and putting together a plan for fixing them.

Crickets.....

May I ask again:

How do we find out who the members of the Ports Secteam are?

How do we join the team?


More information about the freebsd-ports mailing list