How to get timely MFH of security commits?
Mel Pilgrim
list_freebsd at bluerosetech.com
Wed Apr 4 09:30:56 UTC 2018
On 04/04/2018 00:00, Thomas Zander wrote:
> Hi,
>
> On 2 April 2018 at 18:50, Mel Pilgrim <list_freebsd at bluerosetech.com> wrote:
>> The update to net/samba4{5,6,7} addressing CVEs went to head on March 13.
>> The security/openssl update to 1.0.2o was committed to head with MFH 2018Q1
>> explicitly asked for in the commit message. In both cases, 2018Q1 expired
>> before the MFH happened.
>> [...]
>> Can those of us who aren't committers do anything to help improve this
>> process?
>
> the timely MFH of important security fixes is of course our top concern.
> In the given example of the samba fixes, we did not receive an email
> (which happens automatically when the MFH: tag in the commit message
> refers to a quarterly branch) to ports-secteam on March 13, hence this
> apparently slipped our attention for several days.
> If you feel like an important and/or urgent fix that needs MFH might
> have slipped, i.e. two days after the commit to head happened, please
> do not hesitate and give us a heads-up to ports-secteam at freebsd.org.
Thank you for clarifying the timeframe for expecting an MFH. In the
future, if I see one missed I'll add ports-secteam at freebsd.org to the CC
list of the bug.
On the topic of MFH emails, were those for r453380 and r465710 (both
security updates to security/openssl with MFH tags) not sent?
More information about the freebsd-ports
mailing list