svn commit: r321045 - head/security/tor-devel

Remko Lodder remko at FreeBSD.org
Mon Jun 17 10:03:13 UTC 2013 

I think this would create severe overhead, any possible heap/buffer
overflow could fall under this. So unless there is an immediate risk
(severe) or CVE / advisory from some place, I also do not think we should
document these kind of things. -devel has the nature of being potentially
insecure and updated a lot (more then non-devel versions). People using
that should know that and keep themselves informed about the software they
are using.

//Remko


On Mon, Jun 17, 2013 at 12:58 AM, Martin Wilke <miwi at bsdhash.org> wrote:

>
> On Jun 17, 2013, at 2:50 AM, Eitan Adler <eadler at FreeBSD.ORG> wrote:
>
> > On Sun, Jun 16, 2013 at 8:17 PM, b.f. <bf1783 at googlemail.com> wrote:
> >> On 6/16/13, Eitan Adler <eadler at freebsd.org> wrote:
> >>> On Sun, Jun 16, 2013 at 4:06 PM, b.f. <bf1783 at googlemail.com> wrote:
> >>>> In this case no CVEs were issued
> >>>
> >>> This is odd.
> >>
> >> Not very, when you consider that this is development code, and not a
> >> stable release.  It would be absurd to think that every developer goes
> >> running to a CNA every time they find any problem in their repository.
> >
> > CVEs are given for beta releases (see CVE mailing lists for details).
> > I don't think debating this point is very important.
> >
> >
> >> Not
> >> every bug is found, fewer still are disclosed, and even fewer are
> >> reported to a CNA and given a CVE-ID.
> >
> > Agreed
> >
> >> The Tor developers are very conscientious when it comes to reporting
> >> bugs, even ones that are unlikely to be exploited. They often fix and
> >> report problems that would go undetected or undisclosed in other
> >> projects.  But only some of the most serious bugs are reported by the
> >> project or by others to a CNA.
> >
> > Understood.
> >
> > Back to the point at hand, I do think this should be documented in VuXML.
>
> I don't think so.  You are really getting annoying with telling people
> what there have to do..
>
> We never documented -devel and it should be never documented as brandan
> already pointed out its development code.
>
> - Martin
>
> >
> >
> > --
> > Eitan Adler
> > Source, Ports, Doc committer
> > Bugmeister, Ports Security teams
> >
>
> +-----------------oOO--(_)--OOo-------------------------+
> With best Regards,
>        Martin Wilke (miwi_(at)_FreeBSD.org)
>
> Mess with the Best, Die like the Rest
>
> _______________________________________________
> svn-ports-all at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/svn-ports-all
> To unsubscribe, send any mail to "svn-ports-all-unsubscribe at freebsd.org"
>

More information about the svn-ports-all mailing list