Solved Why quarterly ports don't receive security updates after the head ports is patched?

Minbari

Minbari

My "story" is quite simple. On my main machine I stay on FreeBSD HEAD ports and everything is working OK, but on an old pc which is used as a media player I have to use quarterly ports to build my own packages and everything works OK. My only concern is that I have to many vulnerabilities after pkg audit -F is runned. For eg. lang/python36 on HEAD was patched and is now on version 3.6.12_1 while quarterly lang/python36 is on version 3.6.11 and is marked as vulnerable. I understand that there aren't so many people to maintain ports for so many architectures but c'mon that version was marked vulnerable in june and now we are in september.
 
Send an email to report the security issue. From

FreeBSD VuXML - entry date index

vuxml.freebsd.org

"Please report security issues to the FreeBSD Security Team at <ports-secteam@FreeBSD.org>."

I'm sure they update the port as soon as possible. Port security issues are taken serious, the lack of maintainers may be responsible a ports vulnerability has slipped through their attention.
 
I can do that. What I don't understand is why a port marked vulnerable is not automatically somehow put on top of list so when HEAD is patched the quarterly be patched too.
 
To understand why a vulnerable port has not been automatically updated, one needs to know who is involved in the process. There are two parties responsible for the FreeBSD ports:

FreeBSD Port Management Team
Their charter:
www.freebsd.org

Charter for the Ports Management Team

FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms.
www.freebsd.org www.freebsd.org

and

FreeBSD Ports Security Team
Here the wiki

The explanation why a vulnerable port hasn't been updated in quarterly yet is, besides the maintainer is not aware of a security vulnerability ( whatever the cause of this non awareness might be ), it needs approval from the ports-secteam:

249190 – security/gnutls security fix was not MFH

bugs.freebsd.org bugs.freebsd.org
ports-secteam - FreeBSD Wiki - Blanket Approval

Apropos understaffed, have a look at the list I extracted from the head ports tree how many ports some of the maintainers as single person maintain. I cut those from the list with less than 10 ports:
3839 Maint: ports@FreeBSD.org
3430 Maint: sunpoet@FreeBSD.org
2718 Maint: perl@FreeBSD.org
1335 Maint: yuri@FreeBSD.org
870 Maint: ruby@FreeBSD.org
867 Maint: miwi@FreeBSD.org
621 Maint: kde@FreeBSD.org
570 Maint: bofh@FreeBSD.org
450 Maint: gnome@FreeBSD.org
444 Maint: kuriyama@FreeBSD.org
381 Maint: amdmi3@FreeBSD.org
360 Maint: horde@FreeBSD.org
323 Maint: office@FreeBSD.org
285 Maint: python@FreeBSD.org
272 Maint: x11@FreeBSD.org
269 Maint: hrs@FreeBSD.org
265 Maint: ehaupt@FreeBSD.org
260 Maint: tota@FreeBSD.org
255 Maint: koobs@FreeBSD.org
250 Maint: dbaio@FreeBSD.org
247 Maint: acm@FreeBSD.org
243 Maint: wen@FreeBSD.org
242 Maint: multimedia@FreeBSD.org
226 Maint: swills@FreeBSD.org
211 Maint: danfe@FreeBSD.org
207 Maint: tz@FreeBSD.org
171 Maint: kai@FreeBSD.org
169 Maint: tobik@FreeBSD.org
169 Maint: jbeich@FreeBSD.org
164 Maint: antoine@FreeBSD.org
158 Maint: madpilot@FreeBSD.org
146 Maint: mfechner@FreeBSD.org
145 Maint: erlang@FreeBSD.org
141 Maint: culot@FreeBSD.org
139 Maint: skreuzer@FreeBSD.org
138 Maint: nivit@FreeBSD.org
129 Maint: danilo@FreeBSD.org
121 Maint: joneum@FreeBSD.org
115 Maint: rm@FreeBSD.org
115 Maint: olgeni@FreeBSD.org
110 Maint: emulation@FreeBSD.org
106 Maint: zope@FreeBSD.org
105 Maint: thierry@FreeBSD.org
103 Maint: wg@FreeBSD.org
103 Maint: portmaster@BSDforge.com
103 Maint: 0mp@FreeBSD.org
102 Maint: demon@FreeBSD.org
101 Maint: stephen@FreeBSD.org
98 Maint: pi@FreeBSD.org
97 Maint: jwb@FreeBSD.org
97 Maint: jhale@FreeBSD.org
95 Maint: cy@FreeBSD.org
93 Maint: lbartoletti@FreeBSD.org
90 Maint: matthew@FreeBSD.org
90 Maint: dinoex@FreeBSD.org
89 Maint: yasu@utahime.org
86 Maint: egypcio@FreeBSD.org
83 Maint: lwhsu@FreeBSD.org
82 Maint: zi@FreeBSD.org
82 Maint: lme@FreeBSD.org
75 Maint: alexander.nusov@nfvexpress.com
72 Maint: xfce@FreeBSD.org
69 Maint: nobutaka@FreeBSD.org
68 Maint: dvl@FreeBSD.org
68 Maint: brnrd@FreeBSD.org
67 Maint: greg@unrelenting.technology
67 Maint: garga@FreeBSD.org
67 Maint: ale@FreeBSD.org
66 Maint: ume@FreeBSD.org
66 Maint: bapt@FreeBSD.org
64 Maint: portmaster@bsdforge.com
64 Maint: hamradio@FreeBSD.org
62 Maint: mi@aldan.algebra.com
61 Maint: rodrigo@FreeBSD.org
61 Maint: ashish@FreeBSD.org
59 Maint: vulcan@wired.sh
58 Maint: woodsb02@FreeBSD.org
58 Maint: sbz@FreeBSD.org
57 Maint: uboot@FreeBSD.org
57 Maint: menelkir@itroll.org
56 Maint: makc@FreeBSD.org
52 Maint: dmgk@FreeBSD.org
51 Maint: markun@onohara.to
47 Maint: haskell@FreeBSD.org
46 Maint: mm@FreeBSD.org
45 Maint: puppet@FreeBSD.org
45 Maint: mandree@FreeBSD.org
45 Maint: cs@FreeBSD.org
44 Maint: ultima@FreeBSD.org
44 Maint: svysh.fbsd@gmail.com
44 Maint: feld@FreeBSD.org
43 Maint: snowfly@yuntech.edu.tw
43 Maint: martymac@FreeBSD.org
43 Maint: dch@FreeBSD.org
42 Maint: vanilla@FreeBSD.org
42 Maint: gasol.wu@gmail.com
41 Maint: robak@FreeBSD.org
41 Maint: pgsql@FreeBSD.org
40 Maint: tcltk@FreeBSD.org
40 Maint: olivier@FreeBSD.org
40 Maint: lifanov@FreeBSD.org
39 Maint: pizzamig@FreeBSD.org
39 Maint: kwm@FreeBSD.org
38 Maint: vvelox@vvelox.net
38 Maint: jrm@FreeBSD.org
37 Maint: mbeis@xs4all.nl
37 Maint: mat@FreeBSD.org
37 Maint: crees@FreeBSD.org
36 Maint: pkubaj@FreeBSD.org
36 Maint: bokutin@bokut.in
35 Maint: novel@FreeBSD.org
35 Maint: meka@tilda.center
35 Maint: grembo@FreeBSD.org
35 Maint: fluffy@FreeBSD.org
34 Maint: meta@FreeBSD.org
34 Maint: douglas@douglasthrift.net
34 Maint: doceng@FreeBSD.org
34 Maint: cpm@FreeBSD.org
33 Maint: rigoletto@FreeBSD.org
33 Maint: lichray@gmail.com
33 Maint: bsam@FreeBSD.org
32 Maint: romain@FreeBSD.org
32 Maint: osa@FreeBSD.org
32 Maint: mmokhi@FreeBSD.org
32 Maint: desktop@FreeBSD.org
31 Maint: tcberner@FreeBSD.org
31 Maint: mono@FreeBSD.org
31 Maint: mich@FreeBSD.org
31 Maint: jadawin@FreeBSD.org
31 Maint: araujo@FreeBSD.org
30 Maint: oliver@FreeBSD.org
30 Maint: lx@FreeBSD.org
29 Maint: loader@FreeBSD.org
29 Maint: kevans@FreeBSD.org
29 Maint: jgh@FreeBSD.org
29 Maint: db@FreeBSD.org
29 Maint: anes@anes.su
28 Maint: rakuco@FreeBSD.org
28 Maint: lantw44@gmail.com
28 Maint: jsm@FreeBSD.org
28 Maint: jpaetzel@FreeBSD.org
28 Maint: jmd@FreeBSD.org
27 Maint: fjoe@FreeBSD.org
27 Maint: farrokhi@FreeBSD.org
26 Maint: rhurlin@gwdg.de
26 Maint: knu@FreeBSD.org
26 Maint: jmohacsi@bsd.hu
26 Maint: gahr@FreeBSD.org
26 Maint: FreeBSD@Shaneware.biz
26 Maint: ak@FreeBSD.org
25 Maint: jhixson@FreeBSD.org
25 Maint: java@FreeBSD.org
25 Maint: glewis@FreeBSD.org
25 Maint: des@FreeBSD.org
25 Maint: alex@xanderio.de
24 Maint: uzsolt@uzsolt.hu
24 Maint: trueos@norwegianrockcat.com
24 Maint: truckman@FreeBSD.org
24 Maint: pfg@FreeBSD.org
24 Maint: jkim@FreeBSD.org
24 Maint: delphij@FreeBSD.org
24 Maint: apache@FreeBSD.org
23 Maint: zeising@FreeBSD.org
23 Maint: marcus@FreeBSD.org
23 Maint: m.tsatsenko@gmail.com
23 Maint: leres@FreeBSD.org
23 Maint: john@saltant.com
23 Maint: joe@thrallingpenguin.com
23 Maint: girgen@FreeBSD.org
23 Maint: adamw@FreeBSD.org
22 Maint: trociny@FreeBSD.org
22 Maint: tijl@FreeBSD.org
22 Maint: tdb@FreeBSD.org
22 Maint: tagattie@FreeBSD.org
22 Maint: nikola.lecic@anthesphoria.net
22 Maint: lev@FreeBSD.org
22 Maint: gerald@FreeBSD.org
22 Maint: arved@FreeBSD.org
21 Maint: riggs@FreeBSD.org
21 Maint: naddy@FreeBSD.org
21 Maint: joerg@FreeBSD.org
21 Maint: hselasky@FreeBSD.org
21 Maint: gaod@hychen.org
21 Maint: enlightenment@FreeBSD.org
21 Maint: elastic@FreeBSD.org
21 Maint: daniel@blodan.se
21 Maint: cyberbotx@cyberbotx.com
21 Maint: cmt@FreeBSD.org
21 Maint: buganini@gmail.com
21 Maint: alfred@FreeBSD.org
20 Maint: takefu@airport.fm
20 Maint: pg@pakhom.spb.ru
20 Maint: kbowling@FreeBSD.org
20 Maint: jnlin@freebsd.cs.nctu.edu.tw
20 Maint: jhb@FreeBSD.org
20 Maint: gmm@tutanota.com
20 Maint: fullermd@over-yonder.net
20 Maint: flo@FreeBSD.org
20 Maint: arrowd@FreeBSD.org
19 Maint: vsevolod@FreeBSD.org
19 Maint: Vladimir.Chukharev@gmail.com
19 Maint: timur@FreeBSD.org
19 Maint: numisemis@yahoo.com
19 Maint: jharris@widomaker.com
19 Maint: dgeo@centrale-marseille.fr
19 Maint: brooks@FreeBSD.org
18 Maint: vd@FreeBSD.org
18 Maint: sergey@akhmatov.ru
18 Maint: se@FreeBSD.org
18 Maint: ports@bsdserwis.com
18 Maint: ndowens@yahoo.com
18 Maint: decke@FreeBSD.org
18 Maint: bland@FreeBSD.org
18 Maint: adridg@FreeBSD.org
17 Maint: ychsiao@ychsiao.org
17 Maint: vivek@khera.org
17 Maint: samm@FreeBSD.org
17 Maint: mr@FreeBSD.org
17 Maint: m.ne@gmx.net
17 Maint: jlaffaye@FreeBSD.org
17 Maint: ed@FreeBSD.org
17 Maint: beyert@cs.ucr.edu
17 Maint: bdrewery@FreeBSD.org
17 Maint: alfix86@gmail.com
16 Maint: rozhuk.im@gmail.com
16 Maint: ports@caomhin.org
16 Maint: oleg@mamontov.net
16 Maint: che@bein.link
16 Maint: bob@eager.cx
15 Maint: shaun@FreeBSD.org
15 Maint: rene@FreeBSD.org
15 Maint: ler@FreeBSD.org
15 Maint: jaap@NLnetLabs.nl
15 Maint: fw@moov.de
14 Maint: onatan@gmail.com
14 Maint: mp39590@gmail.com
14 Maint: henry.hu.sh@gmail.com
14 Maint: dereckson@gmail.com
14 Maint: daniel@shafer.cc
13 Maint: shurd@FreeBSD.org
13 Maint: philip@FreeBSD.org
13 Maint: ohauer@FreeBSD.org
13 Maint: mikael@FreeBSD.org
13 Maint: manu@FreeBSD.org
13 Maint: freebsd@dns.company
13 Maint: freebsd-ports@dan.me.uk
13 Maint: franco@opnsense.org
13 Maint: eugen@FreeBSD.org
13 Maint: driesm.michiels@gmail.com
13 Maint: CQG00620@nifty.ne.jp
12 Maint: tphilipp@potion-studios.com
12 Maint: skozlov@FreeBSD.org
12 Maint: saper@saper.info
12 Maint: moiseev@mezonplus.ru
12 Maint: krion@FreeBSD.org
12 Maint: kmoore@FreeBSD.org
12 Maint: kiwi@oav.net
12 Maint: juraj@lutter.sk
12 Maint: jjachuf@gmail.com
12 Maint: iblis@hs.ntnu.edu.tw
12 Maint: hyun@caffeinated.codes
12 Maint: hiroto.kagotani@gmail.com
12 Maint: geraud@gcu.info
12 Maint: freebsd@sysctl.cz
12 Maint: fox@FreeBSD.org
12 Maint: cperciva@FreeBSD.org
12 Maint: contato@kanazuchi.com
12 Maint: christer.edwards@gmail.com
12 Maint: aehlig@linta.de
11 Maint: vidar@karlsen.tech
11 Maint: uqs@FreeBSD.org
11 Maint: rihaz.jerrin@gmail.com
11 Maint: netchild@FreeBSD.org
11 Maint: michipili@gmail.com
11 Maint: michael.osipov@siemens.com
11 Maint: mhjacks@swbell.net
11 Maint: max.n.boyarov@gmail.com
11 Maint: kevinz5000@gmail.com
11 Maint: hsw@bitmark.com
11 Maint: fbsd@opal.com
11 Maint: ericbsd@FreeBSD.org
11 Maint: dmitry.wagin@ya.ru
11 Maint: dikshie@sfc.wide.ad.jp
11 Maint: bill.brinzer@gmail.com
11 Maint: axel.rau@chaos1.de
11 Maint: andrej@ebert.su
11 Maint: anastasios@mageirias.com
10 Maint: vmagerya@gmail.com
10 Maint: stb@lassitu.de
10 Maint: rust@FreeBSD.org
10 Maint: rum1cro@yandex.ru
10 Maint: renchap@cocoa-x.com
10 Maint: ports@michael-fausten.de
10 Maint: mopsfelder@gmail.com
10 Maint: mk@nic-nac-project.org
10 Maint: k@stereochro.me
10 Maint: joseph@randomnetworks.com
10 Maint: jjuanino@gmail.com
10 Maint: flo@snakeoilproductions.net
10 Maint: erik@bz.bzflag.bz
10 Maint: ed.arrakis@gmail.com
10 Maint: devel@stasyan.com
10 Maint: dave@dal.ca
10 Maint: bra@fsn.hu
10 Maint: bhughes@FreeBSD.org
10 Maint: amzo1337@gmail.com
10 Maint: ale_sagra@hotmail.com

Looking at those numbers, some of the maintainers put on a tremendous effort for the maintenance of ports. We should thank them every time updating our ports/packages, and complain less if something breaks. Instead help the maintainers. If someone is not able to adopt a port, report an update, report a vulnerability, report a bug, eventually provid a patch, it is very appreciated by the maintainers, at least that's what I see on FreeBSD bugzilla.
 
I'm not complaining and you misunderstood what I was asking. My question was quite simple: after a maintainer patch a port which from my knowledge is from HEAD, why the quarterly port isn't also patched by the FreeBSD Port Management Team/FreeBSD Port Security Team, they know that that bug is going to "land" in the quarterly port. Maybe I don't understand how they are moving HEAD to Quarterly but for me is kinda stupid to report something which was already solved in HEAD. Anyway thanks for the answers.
 
Minbari said:
I'm not complaining ...
Click to expand...

I wasn't implying you are complaining, I was speaking in general, my apologies if I caused a misunderstanding.

Minbari said:
and you misunderstood what I was asking. My question was quite simple: after a maintainer patch a port which from my knowledge is from HEAD, why the quarterly port isn't also patched by the FreeBSD Port Management Team/FreeBSD Port Security Team, they know that that bug is going to "land" in the quarterly port.
Click to expand...

I was of the opinion the wiki of the ports-secteam has answered that question, ports-secteam needs to review/approve the merge in quarterly and they are solicitous about not to cause breakage, quote:

"Security updates for non-broken ports require review/approval.
Typically, ports-secteam approves security updates if they don't cause shared library bumps and they don't cause new breakages OR if they are leaf ports (i.e. no other ports depends on them). The goal is to make sure that we don't cause additional breakage to quarterly branch."

Also the shortage of man power to manage all the port issues delays updates/upgrades.

Minbari said:
Maybe I don't understand how they are moving HEAD to Quarterly but for me is kinda stupid to report something which was already solved in HEAD.
Click to expand...

Maybe they need a heads up. I can name here a case from the forums:

forums.freebsd.org

hashicorp vault

I am running FreeBSD 12.1 and I am getting ready to install hasicorp vault into a jail. However when I go to install it, version 1.4.1 is what is available. But when I search ports version 1.5.0 is what is available. Has it not been updated in the pkg repos yet? Just curious...
forums.freebsd.org forums.freebsd.org

If you reach out to the maintainer ( or to ports-secteam, see below ) it's not like you won't get a positive result. The maintainer of the hashicorp vault has joined the thread, asked if he should update, and updated on the same day, so the port below from the bug report has been.

Bug report open 2020-09-08 10:47 UTC approved by ports-secteam at 2020-09-08 18:36 UTC:

Code: 
A commit references this bug:

Author: tijl
Date: Tue Sep  8 18:33:34 UTC 2020
New revision: 548039
URL: https://svnweb.freebsd.org/changeset/ports/548039

Log:
  MFH: r547781

  Update to 3.6.15.

  PR:        249190
  Security:    https://gnutls.org/security-new.html#GNUTLS-SA-2020-09-04
  Approved by:    ports-secteam (joneum)

Changes:
_U  branches/2020Q3/
  branches/2020Q3/security/gnutls/Makefile
  branches/2020Q3/security/gnutls/distinfo
  branches/2020Q3/security/gnutls/pkg-plist
 
"The goal is to make sure that we don't cause additional breakage to quarterly branch."

I guess this sentence give me an answer, not a complete one but an answer. So I'll mark the thread as solved! Thank you for answers.
 
You must log in or register to reply here.
Back
Top