On 28 May 2015 at 17:47, Bryan Drewery <bdrew...@freebsd.org> wrote: > I think the VUXML database needs to be simpler to contribute to. Only a > handful of committers feel comfortable touching the file. We have also > had the wrong pervasive mentality by committers and users that the vuxml > database should only have an entry if there is a committed fix. This is > totally wrong. These CVE are _already public_ in all of these cases. > Users deserve to know that there is a known issue with a package they > have installed. I can understand how the mentality grew to what it is > with some people, but the fact that there is not an update doesn't > change that the user's system is insecure and needs to be dealt with. If > the tool can't reliably report issues then it is not worth trusting. > TL;DR; the file needs to be simpler. I know there is an effort to use > CPE but I'm not too familiar with where it is going.
May a I suggest a more pragmatic format of package+version, type of issue, url for further info. > The RedHat security team and reporting is very impressive. Don't forget > that they are a funded company though. Perhaps the FreeBSD Foundation > needs to fund a fulltime security officer that is devoted to both Ports > and Src. Just the Ports piece is easily a fulltime job. There seems to be a lot of eyes on the ports-bugs@ list from the community, a heads up about vulnerabilities via the bug tracker may help in the meantime? Sevan / Venture37 _______________________________________________ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
