From owner-freebsd-ports@FreeBSD.ORG Tue Jun 2 15:12:13 2015 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3723243A for ; Tue, 2 Jun 2015 15:12:13 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: from mail-oi0-x22c.google.com (mail-oi0-x22c.google.com [IPv6:2607:f8b0:4003:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id EF6721220 for ; Tue, 2 Jun 2015 15:12:12 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: by oihd6 with SMTP id d6so127978985oih.2 for ; Tue, 02 Jun 2015 08:12:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=muNx06Ojz3yHLCg2vLAC2oCf+cdAKf7oVaGMSpG9vR4=; b=RbzogI2/AhBEicBz115atQPmKBKFW8OPR89x0X0InddgYemkB8DE2/oKfl5kWoDr9d lZpPdcYTCJipJB71hMOZAer+amYTXDnCeYc0+W+zFEw9bm3Km/WwtHU+5ttqOoc5+DJH /kBjB4yStJTbQ2rL0S82UDAb51GNMDRUWYUyotD/MFQJsGon2uwgpuhgwyKGeXqVs6Hi ODUnfp9Yldb/RNjYPhRVmrQkGc1HPeAgJLRGMI6liXBOfvcZmeg99gatCZGZbLr/O9bv Kgdhuas28IskhgL7tYvuTlinumwuH7cuWgeXt9JCEuQHOX6EG48fnxWK6wdLHVSqDiHC kpaw== MIME-Version: 1.0 X-Received: by 10.60.165.103 with SMTP id yx7mr23001984oeb.28.1433257932116; Tue, 02 Jun 2015 08:12:12 -0700 (PDT) Received: by 10.202.80.79 with HTTP; Tue, 2 Jun 2015 08:12:11 -0700 (PDT) In-Reply-To: References: <20150523153029.B7BD3280@hub.freebsd.org> <1432659389.3130746.278522905.6D1E6549@webmail.messagingengine.com> <20150527174037.EF719B11@hub.freebsd.org> <556746A4.4090208@FreeBSD.org> Date: Tue, 2 Jun 2015 11:12:11 -0400 Message-ID: Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo) From: Robert Simmons To: "freebsd-ports@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Jun 2015 15:12:13 -0000 On Fri, May 29, 2015 at 5:15 PM, Robert Simmons wrote: > On Thu, May 28, 2015 at 12:47 PM, Bryan Drewery wrote: >> I think the VUXML database needs to be simpler to contribute to. Only a >> handful of committers feel comfortable touching the file. We have also >> had the wrong pervasive mentality by committers and users that the vuxml >> database should only have an entry if there is a committed fix. This is >> totally wrong. These CVE are _already public_ in all of these cases. >> Users deserve to know that there is a known issue with a package they >> have installed. I can understand how the mentality grew to what it is >> with some people, but the fact that there is not an update doesn't >> change that the user's system is insecure and needs to be dealt with. If >> the tool can't reliably report issues then it is not worth trusting. >> TL;DR; the file needs to be simpler. I know there is an effort to use >> CPE but I'm not too familiar with where it is going. >> >> As for maintainers tracking upstream mailing lists, this is hard. I'm >> subscribed to a lot of lists and can't keep up with all of the traffic. >> >> The RedHat security team and reporting is very impressive. Don't forget >> that they are a funded company though. Perhaps the FreeBSD Foundation >> needs to fund a fulltime security officer that is devoted to both Ports >> and Src. Just the Ports piece is easily a fulltime job. > > It seems from this thread that we have a group of people who are > passionate enough about fixing this problem. > > How do we find out who the members of the Ports Secteam are? Once we > know that, I'd say that at least some of the people on this thread are > willing to join the Ports Secteam (myself included). How do we join > the team? > > Once the team has new and energized members, I would envision the team > then working through the problems that have been outlined in this > thread and putting together a plan for fixing them. Crickets..... May I ask again: How do we find out who the members of the Ports Secteam are? How do we join the team?