How to get timely MFH of security commits?
Mel Pilgrim
list_freebsd at bluerosetech.com
Mon Apr 2 16:50:13 UTC 2018
The update to net/samba4{5,6,7} addressing CVEs went to head on March
13. The security/openssl update to 1.0.2o was committed to head with
MFH 2018Q1 explicitly asked for in the commit message. In both cases,
2018Q1 expired before the MFH happened.
Last year, r453380 updated security/openssl in head to 1.0.2m the same
day it was available upstream. The commit was flagged MFH 2017Q4, but
it took opening a bug asking for the MFH three weeks later.
Delays like this mean that, for the vast majority of users, security
fixes are delayed by up to three months.
Is there a process hindering security merges?
Can those of us who aren't committers do anything to help improve this
process?
More information about the freebsd-ports
mailing list