> On Fri, May 29, 2015 at 5:15 PM, Robert Simmons <rsimmons0 at
gmail.com> wrote:
> Crickets.....
>
> May I ask again:
>
> How do we find out who the members of the Ports Secteam are?
>
> How do we join the team?
Anyone?
>> On Thu, May 28, 2015 at 12:47 PM, Bryan Drewery <bdrewery at
freebsd.org>
>> wrote:
>>> I think the VUXML database needs to be simpler to contribute to.
Only a
>>> handful of committers feel comfortable touching the file. We have
also
>>> had the wrong pervasive mentality by committers and users that the
vuxml
>>> database should only have an entry if there is a committed fix.
This is
>>> totally wrong. These CVE are _already public_ in all of these
cases.
>>> Users deserve to know that there is a known issue with a package
they
>>> have installed. I can understand how the mentality grew to what it
is
>>> with some people, but the fact that there is not an update
doesn't
>>> change that the user's system is insecure and needs to be dealt
with. If
>>> the tool can't reliably report issues then it is not worth
trusting.
>>> TL;DR; the file needs to be simpler. I know there is an effort to
use
>>> CPE but I'm not too familiar with where it is going.
>>>
>>> As for maintainers tracking upstream mailing lists, this is hard.
I'm
>>> subscribed to a lot of lists and can't keep up with all of the
traffic.
>>>
>>> The RedHat security team and reporting is very impressive.
Don't forget
>>> that they are a funded company though. Perhaps the FreeBSD
Foundation
>>> needs to fund a fulltime security officer that is devoted to both
Ports
>>> and Src. Just the Ports piece is easily a fulltime job.
>>
>> It seems from this thread that we have a group of people who are
>> passionate enough about fixing this problem.
>>
>> How do we find out who the members of the Ports Secteam are? Once we
>> know that, I'd say that at least some of the people on this thread
are
>> willing to join the Ports Secteam (myself included). How do we join
>> the team?
>>
>> Once the team has new and energized members, I would envision the team
>> then working through the problems that have been outlined in this
>> thread and putting together a plan for fixing them.