From owner-freebsd-arch Tue Nov 21 22:24:35 2000 Delivered-To: freebsd-arch@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.66]) by hub.freebsd.org (Postfix) with ESMTP id C6A1237B479; Tue, 21 Nov 2000 22:24:30 -0800 (PST) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.11.0/8.11.0) with ESMTP id eAM6OTQ33939; Tue, 21 Nov 2000 23:24:29 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id XAA40393; Tue, 21 Nov 2000 23:24:29 -0700 (MST) Message-Id: <200011220624.XAA40393@harmony.village.org> To: opentrax@email.com Subject: Re: New security policy for FreeBSD 3.x Cc: security-officer@FreeBSD.ORG, arch@FreeBSD.ORG In-reply-to: Your message of "Tue, 21 Nov 2000 10:43:05 PST." <200011211843.KAA00298@spammie.svbug.com> References: <200011211843.KAA00298@spammie.svbug.com> Date: Tue, 21 Nov 2000 23:24:29 -0700 From: Warner Losh Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG In message <200011211843.KAA00298@spammie.svbug.com> opentrax@email.com writes: : Please note I've cc'd to arch. Could you make your : comments there? : : On 19 Nov, FreeBSD Security Advisories wrote: : > -----BEGIN PGP SIGNED MESSAGE----- : > : > The FreeBSD Security Officer would like to announce a change in policy : > regarding security support for the FreeBSD 3.x branch. : > : > Due to the frequent difficulties encountered in fixing the old code : > contained in FreeBSD 3.x, we will no longer be requiring security : > problems to be fixed in that branch prior to the release of an : > advisory that also pertains to FreeBSD 4.x. In recent months this : > requirement has led to delays in the release of advisories, which : > negatively impacts users of the current FreeBSD release branch : > (FreeBSD 4.x). : > : Could you clarify exactly what you are saying? It's not clear. : Perhaps a chart might help. [[ included original text to give context ]] Generally speaking, fixes go into -current first, then are MFC to 4.x-stable and then MFC to 3.x-stable. Sometimes the MFC is easy (when the code is substantially identical) and sometimes it isn't. In the cases it isn't, we won't hold up the advisory for a 3.x fix. We will inform select interested and sufficiently clueful parties of pending advisories for which no 3.x solution is available. If they can get us a fix for 3.x before we release our advisory (usually a few days to a week depending on its severity and other factors), we will include it in the advisory. If not, then the advisory goes out anyway without a 3.x fix, with the usual room for negotiation for reasonable extensions. In other words, fixes for 3.x will no longer gate security advisories, but will be included if available. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message