FreeBSD Security Advisory FreeBSD-SA-05:21.openssl

Wed Oct 12 09:33:28 PDT 2005

Mike Tancsa wrote:
> At 10:13 AM 12/10/2005, Ivan Voras wrote:

>> My idea is that there could maybe be some "core" ports, about 1500 or so,
> 
> This sounds like a recipe for confusion.  Some users have problems 
> distinguishing between whats in the base, and whats out of the ports.  
> Another type of "psudo base app" would just add to the confusion.  User

I agree that "core ports" is a very confusing name... maybe something 
like "ports with extended security support" :)

> / admins need to take *some* responsibility for what is installed on 
> their system.  Many ports are not very well maintained in the first 
> place and to say that the security team should be responsible for 
> another 1500 applications is not realistic.

No, not the FreeBSD security team - I mentioned them only as a reference 
for "how long does it make sense to support a release". All ports that 
would get the extended support will HAVE to be supported by their 
respective maintainers/authors. Any port whose maintainer doesn't want 
to do it this way will automatically get kicked off the list.

The reason why I think this would work is that I think that many 
widely-used applications (e.g.: apache, php, mysql, postgresql, perl, 
postfix) are well maintained by their authors and there would certainly 
be an audience among the maintainers themselves for such a thing.

To summarize:
  - each release would tag the ports tree with RELENG_x_y
  - on that tag, certain ports would be supported security-wise by their 
maintainers for as long as RELENG_x_y itself is supported by the 
security team, being carefull to leave the same version of the port (or 
one that's 100% backward compatible).
  - other ports would not be supported/maintained, and will just be 
"frozen in time" by the CVS tag.