From owner-freebsd-ports@freebsd.org Tue Dec 5 11:47:31 2017 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C1C12E5F66A for ; Tue, 5 Dec 2017 11:47:31 +0000 (UTC) (envelope-from vlad-fbsd@acheronmedia.com) Received: from mx.irealone.hr (xoth.irealone.hr [136.243.79.146]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 888C6771CA for ; Tue, 5 Dec 2017 11:47:30 +0000 (UTC) (envelope-from vlad-fbsd@acheronmedia.com) Received: by mx.irealone.hr (Postfix, from userid 58) id CE605BDF8; Tue, 5 Dec 2017 12:47:22 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on postfix.xoth.irealone.hr X-Spam-Level: X-Spam-Status: No, score=-101.9 required=5.0 tests=ALL_TRUSTED,BAYES_00, LOCAL_WL_002 autolearn=ham autolearn_force=no version=3.4.1 Received: from mail.irealone.com (unknown [10.0.0.10]) by mx.irealone.hr (Postfix) with ESMTP id BBDB0BDF4 for ; Tue, 5 Dec 2017 12:47:21 +0100 (CET) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Tue, 05 Dec 2017 12:47:21 +0100 From: "Vlad K." To: freebsd-ports@freebsd.org Subject: Re: Missing fixes for various ports in Q4 branch? Organization: Acheron Media In-Reply-To: <3A3D1671-936D-4BE7-9B6F-E73E3BA81A06@punkt.de> References: <0C45356F-037F-4BF8-8222-0F82879F6A5D@punkt.de> <20171205105529.GR2827@home.opsec.eu> <94AC4DE0-78AB-4EB4-BE43-682D2CCEDB9B@punkt.de> <3A3D1671-936D-4BE7-9B6F-E73E3BA81A06@punkt.de> Message-ID: X-Sender: vlad-fbsd@acheronmedia.com User-Agent: Roundcube Webmail/1.2.7 X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Dec 2017 11:47:31 -0000 On 2017-12-05 12:32, Patrick M. Hausen wrote: > > We relied on just updating the branch every night and running > poudriere ... looks > like I should implement something around pkg audit that sends us daily > status > reports. Yes, but note that pkgaudit depends on VuXML which is also not up to date (it's on the best effort basis just like MFH). There's some effort going on to automate CVE entries, but until that's implemented (and if at all, as automation depends on CPE which many ports do not have), I'd suggest tracking CVEs independently in order to be best informed. Following linux distros secvuln announcements (Canonical's, RedHat's, Debian's) is a good start, so is being subscribed to oss-seclist, and of course the NVD or Mitre feeds themselves. * https://usn.ubuntu.com/usn/rss.xml * https://www.debian.org/security/dsa * https://cve.mitre.org/ It'd be very helpful if bug reports would be filed on FreeBSD's bugzilla (https://bugs.freebsd.org) tagged with keyword "security" if any undocumented vulns (not submitted to VuXML) are found. -- Vlad K.