Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl

> >On Wed, Oct 12, 2005 at 12:09:53PM +0200, jere wrote:
> 
> >And you cannot expect the port maintainers
> >to backport security fixes if the upstream provider chose to release the
> >fix only together with a new version.
> 
> Yes you can, ask these guys: http://www.debian.org/. It's just a matter 
> of policy.

OTOH, Debian packages maintainers chose to do this work whereas asking
FreeBSD ports maintainers to do this extra work just now is awkward.
Yes, the FreeBSD project could still ask for volunteers for this job
but anyway I noticed that this kind of policy leads to delayed package
updates whereas merely changing the Makefile in order to upgrade the
port is very quick.

The best example I can give to this is Firefox.  Recently we have seen
a great increase of security advisories about it.  As both a FreeBSD and
Debian user I have to admit that the FreeBSD port is often updated before
the Debian package (however I must also admit this compares somewhat
the two maintainers).

Eventually I would say that when someone administers a network, I
think it is his own responsability to choose softwares whose release
process is serious enough - which used to be a major reason for using
FreeBSD - and it is not the responsability of FreeBSD to overcome their
deficiencies.

Regards,
-- 
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"