Date: Sun, 16 Jun 2013 18:17:19 +0000 From: "b.f." <bf1783@googlemail.com> To: Eitan Adler <eadler@freebsd.org> Cc: svn-ports-head@freebsd.org, svn-ports-all@freebsd.org, ports-committers@freebsd.org Subject: Re: svn commit: r321045 - head/security/tor-devel Message-ID: <CAGFTUwP-_xJUTdj=hr7wM_BV-=Bo%2BktE1ud6s3n1eBizjUH=fQ@mail.gmail.com> In-Reply-To: <CAF6rxgnC8hDDwTW9NxqCDs8YEYyFRLzzDm=g=94A5Fn6GdXveA@mail.gmail.com> References: <201306161247.r5GCloLW020616@svn.freebsd.org> <CAF6rxgm3x4VgGCnWBJC5SanViZuj1ZNQ-qfsZFgwiSmpBkvXuQ@mail.gmail.com> <CAGFTUwPZM4u6LYvx_rsF4My7tHPZKS3V_N2YO7ur29HQyesOsQ@mail.gmail.com> <CAF6rxgnC8hDDwTW9NxqCDs8YEYyFRLzzDm=g=94A5Fn6GdXveA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 6/16/13, Eitan Adler <eadler@freebsd.org> wrote: > On Sun, Jun 16, 2013 at 4:06 PM, b.f. <bf1783@googlemail.com> wrote: >> In this case no CVEs were issued > > This is odd. Not very, when you consider that this is development code, and not a stable release. It would be absurd to think that every developer goes running to a CNA every time they find any problem in their repository. The CVEs represent only the tip of the iceberg when it comes to security problems: serious problems in common, released software that have been disclosed through certain channels to Mitre, CERT, or one of the other CNAs, and are approved for inclusion in the database. Not every bug is found, fewer still are disclosed, and even fewer are reported to a CNA and given a CVE-ID. The Tor developers are very conscientious when it comes to reporting bugs, even ones that are unlikely to be exploited. They often fix and report problems that would go undetected or undisclosed in other projects. But only some of the most serious bugs are reported by the project or by others to a CNA. b.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGFTUwP-_xJUTdj=hr7wM_BV-=Bo%2BktE1ud6s3n1eBizjUH=fQ>