Quarterly packages and security updates...
Mason Loring Bliss
mason at blisses.org
Fri Aug 14 17:31:46 UTC 2015
On Fri, Aug 14, 2015 at 10:27:44AM -0500, Mark Felder wrote:
> You should not see vulnerable packages in the quarterly branch unless
> there is no public fix available. If you come across this type of
> situation where it is fixed in HEAD but not in the quarterly branch
> please email the maintainer and ports-secteam@ ASAP.
Sounds reasonable.
> I can't speak to subversion at the moment
My next email noted that I had held back Subversion intentionally, so that
one was my fault.
> Quarterly branch has 40.0_4,1 which I linked above (r394030), so this
> does not apply either.
Now, THAT is cheating. Firefox wasn't updated in the quarterly branch until
*after* I pointed it out on the list.
> The packages are there, so I don't understand how you observe these
> packages to still be vulnerable.
How about, two of them were vulnerable until I wrote to the list with the
dismaying thought that we were going to ship vulnerable packages, at which
point someone with the ability to push packages around decided to fix
them...?
That said, I will happily use the mechanisms you noted if I see this sort of
situation in the future, and I am sincerely, deeply grateful that the high-
profile stuff I pointed out was fixed so rapidly in response to my pointing
it out.
--
Mason Loring Bliss (( If I have not seen as far as others, it is because
mason at blisses.org )) giants were standing on my shoulders. - Hal Abelson
More information about the freebsd-security
mailing list