On Thu, Aug 13, 2015 at 05:01:29PM -0400, Mason Loring Bliss wrote: > On Thu, Aug 13, 2015 at 08:40:23PM +0000, Glen Barber wrote: > > > [info@ removed, not sure why that email address was included.] > > I'm hoping for pressure from above, as this is an important step that's > evidently being taken without quarterly branch security being bumped up in > priority. It seems to come as a surprise to many folks, and certainly I > wasn't aware of it until last week. (Also, board@ is now deprecated.) >
"Putting pressure" isn't the role of the Foundation. Quarterly package builds happen every few days (two, if I remember correctly), and as I was writing this reply, and updated package set for 10.x i386 was made available. So the appropriate steps are to contact the committer that resolved a vulnerable port in the latest branch to remind them to also fix it in the quarterly branch, and failing that, contact ports-secteam@ (similar to how one would report an issue in the base system to secteam@). Glen
pgp4OheeNunCe.pgp
Description: PGP signature
