From owner-freebsd-ports@FreeBSD.ORG Wed Aug 27 11:07:32 2014 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5F80E8C6; Wed, 27 Aug 2014 11:07:32 +0000 (UTC) Received: from mailrelay007.isp.belgacom.be (mailrelay007.isp.belgacom.be [195.238.6.173]) by mx1.freebsd.org (Postfix) with ESMTP id C872C3262; Wed, 27 Aug 2014 11:07:31 +0000 (UTC) X-Belgacom-Dynamic: yes X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AvQIAGm7/VNR8m2A/2dsb2JhbABRCoMNgSrMHYQDg00EAgGBDhd3hAQBAQQBAjccFQ4QCxgJJQ8SBxEeBhOILgMVAblwDYU/F4l/gyCBUVwHhEwBBIRSMpRRMkGCD45hhjeDYDsvAYJOAQEB Received: from 128.109-242-81.adsl-dyn.isp.belgacom.be (HELO kalimero.tijl.coosemans.org) ([81.242.109.128]) by relay.skynet.be with ESMTP; 27 Aug 2014 13:07:24 +0200 Received: from kalimero.tijl.coosemans.org (kalimero.tijl.coosemans.org [127.0.0.1]) by kalimero.tijl.coosemans.org (8.14.9/8.14.9) with ESMTP id s7RB7MAX002387; Wed, 27 Aug 2014 13:07:23 +0200 (CEST) (envelope-from tijl@FreeBSD.org) Date: Wed, 27 Aug 2014 13:07:22 +0200 From: Tijl Coosemans To: J David Subject: Re: Quarterly ports trees not getting security updates? Message-ID: <20140827130722.6ecfb464@kalimero.tijl.coosemans.org> In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org, freebsd-ports@freebsd.org X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Aug 2014 11:07:32 -0000 On Tue, 26 Aug 2014 20:15:50 -0400 J David wrote: > When the quarterly ports trees were introduced, they were described as > including security, build, and runtime fixes for 3 months. > > This is a great idea, and with 2014Q2 it seemed to work pretty well. > However, it doesn't seem like 2014Q3 is getting security fixes. > > For example, the openssl port has never been updated since branch; > it's still on 1.0.1_13, which has 9 open CVE's against it. Other > ports have similar issues (e.g. serf and subversion). > > What could a non-expert such as myself do to help with this? Is it > just a matter of trying to identify the relevant commits from the head > of the ports tree, or is there more to it? In Q3 a lot of people were on vacation of course, but the main problem I think is that few if any committers are dogfooding the quarterly branches so we are simply not giving enough attention to it. Personally I find 3 months to be too long. I think 1 month would fit people's update schedules better. I tend to update my machines roughly once a month, the FreeBSD cluster machines are updated once a month, there's Microsoft's monthly patch Tuesday, etc. One month is also long enough to introduce major updates at the beginning of the month and have everything working by the end of the month, yet short enough that most updates can wait until the next snapshot and don't have to be merged. And important security fixes will be easier to merge to a one month old ports tree than a 3 month old one.