Re: git: 72dd8d2ee676 - main - mail/dovecot: update 2 .3.21 → 2.3.21.1 (fixes 2 CVEs)
- Reply: Alexander Leidinger : "Re:_git:_72dd8d2ee676_-_main_-_mail/dovecot:_upd ate_2.3.21_→_2.3.21.1_(fixes_2_CVEs)"
- Reply: Torsten Zuehlsdorff : "Re:_git:_72dd8d2ee676_-_main_-_mail/dovecot:_update 2.3.21 → 2.3.21.1 (fixes 2 CVEs)"
- In reply to: Kevin Bowling : "Re: git: 72dd8d2ee676 - main - mail/dovecot: update 2.3.21 → 2.3.21.1 (fixes 2 CVEs)"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 17 Aug 2024 07:26:43 UTC
On Sat, Aug 17, 2024 at 12:15:54AM GMT, Kevin Bowling wrote: > On Fri, Aug 16, 2024 at 11:56 PM Gleb Popov <arrowd@freebsd.org> wrote: > > > > On Sat, Aug 17, 2024 at 1:03 AM Kevin Bowling <kevin.bowling@kev009.com> wrote: > > > > > > You should seek help or abstain from doing security updates then. > > > > Is this a policy written somewhere? I don't see how not updating a > > VuXML entry is worse than not updating the vulnerable port itself. > > Updating and forgetting or simply not knowing how to do something once > is fine. A refusal, if you aren't going to uphold the standard > comitter practices after being shown, maybe you should reconsider > whether you are the right person for the direct commit access and > filter it through review/PR so other committers can massage the > correct result. > > I'm not really sure why this is turning into a discussion. The > request is standard practice for handling CVEs in the repo and a > courtesy to other committers and even more for users who rely on tools > like pkg audit and do not watch commit logs. Technically, it does not need to be a discussion. Maintaining the VuXML database is ports-secteam's job, it's in their charter. Now, ports-secteam has no members, so nobody is maintaining the VuXML database. Ports committers can update it, but they have absolutely no obligation to, it's on a best effort basis. If anyone want to join ports-secteam, I am sure it can be arranged. -- Mathieu Arnold