From owner-svn-ports-head@FreeBSD.ORG Sun Jun 16 18:17:20 2013 Return-Path: Delivered-To: svn-ports-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 9D75746A; Sun, 16 Jun 2013 18:17:20 +0000 (UTC) (envelope-from bf1783@googlemail.com) Received: from mail-ie0-x22c.google.com (mail-ie0-x22c.google.com [IPv6:2607:f8b0:4001:c03::22c]) by mx1.freebsd.org (Postfix) with ESMTP id 5434B1276; Sun, 16 Jun 2013 18:17:20 +0000 (UTC) Received: by mail-ie0-f172.google.com with SMTP id 16so5225347iea.31 for ; Sun, 16 Jun 2013 11:17:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=VKsqCvNYtlycWBdCHKOWSMUZN58VMyZCUKm86SNrJEQ=; b=d4PEGsDGX1qhFDrRDpnlf++XNLFNMXyW7wNn9KHE4wlUC7BnWuQ45gNtVTitbpyTEr z3HP1F+dpi5OavpP9mP2l04coAIPJR17lSbTAN7oKfe8Tq8qgjJy4M6wRDdx+rUbMFoh zqRik2bAF3FwjgYzFVU4c+qyB+oplQFb1iX7xe6bSZIKIPBjoN0/PLqQ8Rnyz+iCiE3T mAlUM9Sqz46r3SF6Tjge517egIHaiKCmhq/a2v4Y82RkhGKIJ7qSDTMgTGSoXp2mARMK 0iAzTV9hIfRIaVlKGiOBuyL55rlOLP23oRneTM6vTC22aA0/n3TUmhI8NvIiXjqzvK/P +luQ== MIME-Version: 1.0 X-Received: by 10.50.25.102 with SMTP id b6mr3241507igg.27.1371406640070; Sun, 16 Jun 2013 11:17:20 -0700 (PDT) Received: by 10.64.39.201 with HTTP; Sun, 16 Jun 2013 11:17:19 -0700 (PDT) In-Reply-To: References: <201306161247.r5GCloLW020616@svn.freebsd.org> Date: Sun, 16 Jun 2013 18:17:19 +0000 Message-ID: Subject: Re: svn commit: r321045 - head/security/tor-devel From: "b.f." To: Eitan Adler Content-Type: text/plain; charset=ISO-8859-1 Cc: svn-ports-head@freebsd.org, svn-ports-all@freebsd.org, ports-committers@freebsd.org X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: bf1783@gmail.com List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jun 2013 18:17:20 -0000 On 6/16/13, Eitan Adler wrote: > On Sun, Jun 16, 2013 at 4:06 PM, b.f. wrote: >> In this case no CVEs were issued > > This is odd. Not very, when you consider that this is development code, and not a stable release. It would be absurd to think that every developer goes running to a CNA every time they find any problem in their repository. The CVEs represent only the tip of the iceberg when it comes to security problems: serious problems in common, released software that have been disclosed through certain channels to Mitre, CERT, or one of the other CNAs, and are approved for inclusion in the database. Not every bug is found, fewer still are disclosed, and even fewer are reported to a CNA and given a CVE-ID. The Tor developers are very conscientious when it comes to reporting bugs, even ones that are unlikely to be exploited. They often fix and report problems that would go undetected or undisclosed in other projects. But only some of the most serious bugs are reported by the project or by others to a CNA. b.