Quarterly ports trees not getting security updates?

[Tijl Coosemans]

On Tue, 26 Aug 2014 20:15:50 -0400 J David <j.david.lists at gmail.com> wrote:
> When the quarterly ports trees were introduced, they were described as
> including security, build, and runtime fixes for 3 months.
> 
> This is a great idea, and with 2014Q2 it seemed to work pretty well.
> However, it doesn't seem like 2014Q3 is getting security fixes.
> 
> For example, the openssl port has never been updated since branch;
> it's still on 1.0.1_13, which has 9 open CVE's against it.  Other
> ports have similar issues (e.g. serf and subversion).
> 
> What could a non-expert such as myself do to help with this?  Is it
> just a matter of trying to identify the relevant commits from the head
> of the ports tree, or is there more to it?

In Q3 a lot of people were on vacation of course, but the main problem
I think is that few if any committers are dogfooding the quarterly
branches so we are simply not giving enough attention to it.

Personally I find 3 months to be too long.  I think 1 month would fit
people's update schedules better.  I tend to update my machines roughly
once a month, the FreeBSD cluster machines are updated once a month,
there's Microsoft's monthly patch Tuesday, etc.  One month is also long
enough to introduce major updates at the beginning of the month and
have everything working by the end of the month, yet short enough that
most updates can wait until the next snapshot and don't have to be
merged.  And important security fixes will be easier to merge to a one
month old ports tree than a 3 month old one.