Date: Mon, 17 Jun 2013 12:03:06 +0200 From: Remko Lodder <remko@FreeBSD.org> To: Martin Wilke <miwi@bsdhash.org> Cc: bf1783@gmail.com, svn-ports-head@freebsd.org, svn-ports-all@freebsd.org, Eitan Adler <eadler@freebsd.org>, ports-committers@freebsd.org Subject: Re: svn commit: r321045 - head/security/tor-devel Message-ID: <CAEAatoj_FsJKgrTN64T0bZQ2XEvOqMcUvhhOrbj_Lt9TP2HGag@mail.gmail.com> In-Reply-To: <E35BA0BD-766D-4E50-BFBF-A2DB089D8435@bsdhash.org> References: <201306161247.r5GCloLW020616@svn.freebsd.org> <CAF6rxgm3x4VgGCnWBJC5SanViZuj1ZNQ-qfsZFgwiSmpBkvXuQ@mail.gmail.com> <CAGFTUwPZM4u6LYvx_rsF4My7tHPZKS3V_N2YO7ur29HQyesOsQ@mail.gmail.com> <CAF6rxgnC8hDDwTW9NxqCDs8YEYyFRLzzDm=g=94A5Fn6GdXveA@mail.gmail.com> <CAGFTUwP-_xJUTdj=hr7wM_BV-=Bo%2BktE1ud6s3n1eBizjUH=fQ@mail.gmail.com> <CAF6rxgk1CF9SySZkdKykVvd9M8VfHm2oHvCFKX=zhZ=UznO8hw@mail.gmail.com> <E35BA0BD-766D-4E50-BFBF-A2DB089D8435@bsdhash.org>
next in thread | previous in thread | raw e-mail | index | archive | help
I think this would create severe overhead, any possible heap/buffer overflow could fall under this. So unless there is an immediate risk (severe) or CVE / advisory from some place, I also do not think we should document these kind of things. -devel has the nature of being potentially insecure and updated a lot (more then non-devel versions). People using that should know that and keep themselves informed about the software they are using. //Remko On Mon, Jun 17, 2013 at 12:58 AM, Martin Wilke <miwi@bsdhash.org> wrote: > > On Jun 17, 2013, at 2:50 AM, Eitan Adler <eadler@FreeBSD.ORG> wrote: > > > On Sun, Jun 16, 2013 at 8:17 PM, b.f. <bf1783@googlemail.com> wrote: > >> On 6/16/13, Eitan Adler <eadler@freebsd.org> wrote: > >>> On Sun, Jun 16, 2013 at 4:06 PM, b.f. <bf1783@googlemail.com> wrote: > >>>> In this case no CVEs were issued > >>> > >>> This is odd. > >> > >> Not very, when you consider that this is development code, and not a > >> stable release. It would be absurd to think that every developer goes > >> running to a CNA every time they find any problem in their repository. > > > > CVEs are given for beta releases (see CVE mailing lists for details). > > I don't think debating this point is very important. > > > > > >> Not > >> every bug is found, fewer still are disclosed, and even fewer are > >> reported to a CNA and given a CVE-ID. > > > > Agreed > > > >> The Tor developers are very conscientious when it comes to reporting > >> bugs, even ones that are unlikely to be exploited. They often fix and > >> report problems that would go undetected or undisclosed in other > >> projects. But only some of the most serious bugs are reported by the > >> project or by others to a CNA. > > > > Understood. > > > > Back to the point at hand, I do think this should be documented in VuXML. > > I don't think so. You are really getting annoying with telling people > what there have to do.. > > We never documented -devel and it should be never documented as brandan > already pointed out its development code. > > - Martin > > > > > > > -- > > Eitan Adler > > Source, Ports, Doc committer > > Bugmeister, Ports Security teams > > > > +-----------------oOO--(_)--OOo-------------------------+ > With best Regards, > Martin Wilke (miwi_(at)_FreeBSD.org) > > Mess with the Best, Die like the Rest > > _______________________________________________ > svn-ports-all@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/svn-ports-all > To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAEAatoj_FsJKgrTN64T0bZQ2XEvOqMcUvhhOrbj_Lt9TP2HGag>