> Mark Felder wrote: >> Who is "ports-secteam"? > > It was Xin Li who alerted me to the ports-sect...@freebsd.org address > i.e., as being distinct from the "FreeBSD Security Team" > (sect...@freebsd.org) address noted on > <https://www.freebsd.org/security/>.
Also have to thank Remko Lodder for pointing out the ports-secteam@ address. Should also note that while the ports-secteam@ is not mentioned in <freebsd.org/security> or various other places where it probably should be (like the Types of Problem Reports page </doc/en_US.ISO8859-1/articles/pr-guidelines/pr-types.html>) it is noted in the Port Specific FAQ </doc/ en_US.ISO8859-1/articles/pr-guidelines/pr-types.html> and on the port mainters' page </ports/ports-mgmt.html>. Roger > >> There has been no Call For Help that I've ever seen. If people are needed >> to process these CVEs so they are entered into VUXML, sign me up to >> ports-secteam please. > > I believe that is part of the problem, or the multiple problems, that > lead me to believe that FreeBSD is operating without the active > involvement of a security officer. Specifically: > > * port vulnerability alerts sent to secteam@, as indicated on the > /security/ page, are neither forwarded to ports-secteam@ for review nor > returned to the sender with a note regarding the correct destination > address, > > * the freebsd.org/security web page is not correct and not being > updated, > > * aside from Xin nobody from either ports-secteam@ or secteam@ much > less security-officer@ seems to be reading or participating in the > security@ mailing list, > > * nobody @freebsd.org appears to be following CVE announcements and the > maintainers of several high profile ports are also not following it or > even their application's -announce list, > > * there appears to be no automated process to alert vuln.xml maintainers > (ports-secteam@) of potential new port vulnerabilities, > > * offers of help to secteam@ and ports-secteam@ are neither replied to > nor acted upon (except for Xin Li's request, thanks Xin!), > > * perhaps as a result the vuln.xml database is no longer reliable, and > by extension, > > * operators of FreeBSD servers (unlike Debian, Ubuntu, RedHat, Suse and > OpenBSD server operators) have no assurance that their systems are secure. > > This is a MAJOR CHANGE from just a couple of years ago which calls for an > equally major heads-up to be sent to those running FreeBSD servers and > looking to the freebsd.org website for help securing their systems. > > The signifiance of these 7 bullets should not be overlooked or > understated. They call in to question the viability of FreeBSD itself. > > IMO, > Roger Marquis > _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
