Re: git: 72dd8d2ee676 - main - mail/dovecot: update 2.3.21 → 2.3.21.1 (fixes 2 CVEs)

Reply: Mathieu Arnold : "Re: git: 72dd8d2ee676 - main - mail/dovecot: update 2 .3.21 → 2.3.21.1 (fixes 2 CVEs)"
In reply to: Gleb Popov : "Re: git: 72dd8d2ee676 - main - mail/dovecot: update 2.3.21 → 2.3.21.1 (fixes 2 CVEs)"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Kevin Bowling <kevin.bowling_at_kev009.com>
Date: Sat, 17 Aug 2024 07:15:54 UTC

On Fri, Aug 16, 2024 at 11:56 PM Gleb Popov <arrowd@freebsd.org> wrote:
>
> On Sat, Aug 17, 2024 at 1:03 AM Kevin Bowling <kevin.bowling@kev009.com> wrote:
> >
> > You should seek help or abstain from doing security updates then.
>
> Is this a policy written somewhere? I don't see how not updating a
> VuXML entry is worse than not updating the vulnerable port itself.

Updating and forgetting or simply not knowing how to do something once
is fine.  A refusal, if you aren't going to uphold the standard
comitter practices after being shown, maybe you should reconsider
whether you are the right person for the direct commit access and
filter it through review/PR so other committers can massage the
correct result.

I'm not really sure why this is turning into a discussion.  The
request is standard practice for handling CVEs in the repo and a
courtesy to other committers and even more for users who rely on tools
like pkg audit and do not watch commit logs.