> Mark Felder wrote:
>> Who is "ports-secteam"?
>
> It was Xin Li who alerted me to the ports-secteam at freebsd.org address
> i.e., as being distinct from the "FreeBSD Security Team"
> (secteam at freebsd.org) address noted on
> <https://www.freebsd.org/security/>.
Also have to thank Remko Lodder for pointing out the ports-secteam@ address.
Should also note that while the ports-secteam@ is not mentioned in
<freebsd.org/security> or various other places where it probably should be
(like the Types of Problem Reports page
</doc/en_US.ISO8859-1/articles/pr-guidelines/pr-types.html>)
it is noted in the Port Specific FAQ </doc/
en_US.ISO8859-1/articles/pr-guidelines/pr-types.html> and on the port
mainters' page </ports/ports-mgmt.html>.
Roger
>
>> There has been no Call For Help that I've ever seen. If people are
needed
>> to process these CVEs so they are entered into VUXML, sign me up to
>> ports-secteam please.
>
> I believe that is part of the problem, or the multiple problems, that
> lead me to believe that FreeBSD is operating without the active
> involvement of a security officer. Specifically:
>
> * port vulnerability alerts sent to secteam@, as indicated on the
> /security/ page, are neither forwarded to ports-secteam@ for review nor
> returned to the sender with a note regarding the correct destination
> address,
>
> * the freebsd.org/security web page is not correct and not being
> updated,
>
> * aside from Xin nobody from either ports-secteam@ or secteam@ much
> less security-officer@ seems to be reading or participating in the
> security@ mailing list,
>
> * nobody @freebsd.org appears to be following CVE announcements and the
> maintainers of several high profile ports are also not following it or
> even their application's -announce list,
>
> * there appears to be no automated process to alert vuln.xml maintainers
> (ports-secteam@) of potential new port vulnerabilities,
>
> * offers of help to secteam@ and ports-secteam@ are neither replied to
> nor acted upon (except for Xin Li's request, thanks Xin!),
>
> * perhaps as a result the vuln.xml database is no longer reliable, and
> by extension,
>
> * operators of FreeBSD servers (unlike Debian, Ubuntu, RedHat, Suse and
> OpenBSD server operators) have no assurance that their systems are
secure.
>
> This is a MAJOR CHANGE from just a couple of years ago which calls for an
> equally major heads-up to be sent to those running FreeBSD servers and
> looking to the freebsd.org website for help securing their systems.
>
> The signifiance of these 7 bullets should not be overlooked or
> understated. They call in to question the viability of FreeBSD itself.
>
> IMO,
> Roger Marquis
>