Paths

Table of Contentst

Suggest port maintainers submit bugs for VuXML updates.
Needs ReviewPublic
Actions

Authored by pauamma_gundo.com on Oct 23 2022, 12:52 AM.

Details

Reviewers

carlavilla
gjb
riggs
grahamperrin

Group Reviewers

docs
ports secteam
Ports Committers

Summary

While there, add a missing word nearby and fix syntax for better readability.

Test Plan

make all

Check lynx output

Diff Detail

Repository

R9 FreeBSD doc repository

Lint

No Lint Coverage

Unit

No Test Coverage

Build Status

Buildable 56650
Build 53538: arc lint + arc unit

Event Timeline

pauamma_gundo.com requested review of this revision.Oct 23 2022, 12:52 AM

pauamma_gundo.com created this revision.

Harbormaster completed remote builds in B47963: Diff 112108.Oct 23 2022, 12:52 AM

Anything I should do to move this along?

Added ports team

Side note: in a different chapter (out of scope for this review) there is, again, misuse of the phrase Security Officer Team.

https://docs.freebsd.org/en/books/porters-handbook/book/#makefile-maintainer

documentation/content/en/books/porters-handbook/security/_index.adoc
100–102	The order of words is strange (for example, as early after a security vulnerability is discovered as possible). Also, re: discovery, port users should be notified only if a vulnerability is already publicly disclosed.
108–109	Security Officer is not a team. Also, conciseness.
110–111	Security Officer is not a team.
111	Do you mean, a bug report with a summary line something like what's below? security/vuxml: create an entry for category/portname
111–114	Security Officer is not a team.

If a bug report involves a publicly-disclosed vulnerability for which there's not yet a VuXML entry, then the report should have:

ports-secteam@ amongst CC recipients
keyword security
flag merge-quarterly set to ?
priority maximised, to Normal
severity maximised, to Affects Many People.

Also: why do we encourage addressing the Security Team, or Security Officer, without mentioning the (more relevant) Ports Security Team?

Good questions all. Waiting for a ports secteam member to address them so I can revise this usefully.

In D37094#866667, @pauamma wrote:

Good questions all. Waiting for a ports secteam member to address them so I can revise this usefully.

ping ports secteam

In D37094#882796, @pauamma wrote:

In D37094#866667, @pauamma wrote:

Good questions all. Waiting for a ports secteam member to address them so I can revise this usefully.

ping ports secteam

Will take a look, thanks for the reminder.

riggs requested changes to this revision.Feb 28 2023, 8:12 AM

riggs added inline comments.

documentation/content/en/books/porters-handbook/security/_index.adoc
108–109	Generally, here and all the other places in the doc: I'd mention both the Security Team (#t-secteam) and Ports Security Team(#t-ports-secteam). Our vuxml page (https://vuxml.freebsd.org/freebsd/index.html) contains both base system and ports vulnerabilities. While the project admin page says that the Security Team is looking after src and ports, it also says the Ports Security Team is focused on ports, hence it will look after security/vuxml in the ports tree (and is the official maintainer of this port as per security/vuxml/Makefile). So I'd contact ports-secteam@ first when there is something about security/vuxml that needs to be resolved.

This revision now requires changes to proceed.Feb 28 2023, 8:12 AM

Updated patch to follow after it finishes building and I look it over.

documentation/content/en/books/porters-handbook/security/_index.adoc
100–102	Agreed to both, but out of scope.
108–109	Do you mean mention both where either is mentioned? Otherwise there's only here, unless I missed something.
111	Yes.

Address edit comments by riggs and grahamperrin

Harbormaster completed remote builds in B50161: Diff 118362.Mar 5 2023, 11:43 PM

grahamperrin added inline comments.Mar 25 2023, 6:25 PM

documentation/content/en/books/porters-handbook/security/_index.adoc
111–114	Security Officer is not a team. Sorry: I'm mistaken here (and might have made the same mistake elsewhere). I learnt to treat https://www.freebsd.org/administration/#t-secteam as authoritative, there's no Officer Team. Later discovered, Security Officer Team does exist at https://gitlab.com/FreeBSD/freebsd-doc/-/blob/9587d12749acb8edfdb8ea771e72631592050900/shared/en/teams.adoc?plain=1#L86-88: text :security-officer-name: Security Officer Team :security-officer-email: security-officer@FreeBSD.org :security-officer: {security-officer-name} <{security-officer-email}> Historically (2002): https://cgit.freebsd.org/doc/commit/?id=798336ef5cff10c92f5ba3d06b21f633734a7e1e For consistency: s/Security Officers Team/Security Officer Team/

ping @riggs @grahamperrin Is either of you waiting for more changes from me?

Side notes:

link: prefixes make proofreading more difficult for me.
at one point I had to click New Inline Comment (pictured below) four times before the comment field appeared.

documentation/content/en/books/porters-handbook/security/_index.adoc
109	Be explicit, so that the first sight of _Security Team_ in the context of porting is not misinterpreted as the FreeBSD Ports Security Team.
111–114
113
113	https://www.freebsd.org/security/#how is wrong. Nearby https://www.freebsd.org/security/#reporting might be better, however it contradicts what's drafted here; there's no mention of the FreeBSD Ports Security Team.

This revision now requires changes to proceed.Jun 18 2023, 1:09 PM

pauamma_gundo.com marked an inline comment as done.Jun 22 2023, 8:11 PM

pauamma_gundo.com added inline comments.

documentation/content/en/books/porters-handbook/security/_index.adoc
109	I can't reconcile your request with the one above it by @riggs, which I think asks me to mention Ports Security instead. Which should it be?
113	Made it clearer that "as described on..." applies to contacting the security team only, not the ports security team.

Address edit comments by riggs and grahamperrin
More revisions after grahamperrin feedback.

Harbormaster completed remote builds in B52254: Diff 123658.Jun 22 2023, 8:19 PM

guest-patmaddox added a subscriber: guest-patmaddox.Jul 29 2023, 10:16 AM

Still waiting for feedback on how to reconcile incompatible requests, which I think is the only thing holding this at this time.

documentation/content/en/books/porters-handbook/security/_index.adoc
109	I can't reconcile your request with the one above it by @riggs, which I think asks me to mention Ports Security instead. Which should it be? ping @riggs @grahamperrin

I don't think I can/should answer … I mean, don't think of me as blocking anything here …

I'm gonna send an email to ping the Security Team.

In D37094#941534, @carlavilla wrote:

I'm gonna send an email to ping the Security Team.

Did they answer your ping?

pauamma_gundo.com marked an inline comment as done.Mar 17 2024, 1:47 AM

pauamma_gundo.com added inline comments.

documentation/content/en/books/porters-handbook/security/_index.adoc
100–102	On second thought, fixing syntax. The other one is above my pay grade.
113	Done as 2 sentences.

Address (I think) all pending review comments.

Harbormaster completed remote builds in B56650: Diff 135836.Mar 17 2024, 1:47 AM

pauamma_gundo.com edited the summary of this revision. (Show Details)Mar 17 2024, 1:49 AM

pauamma_gundo.com edited the test plan for this revision. (Show Details)

@riggs (or anyone from ports secteam), could you (re)review?

Revision Contents
Changeset List

Path

Size

documentation/

content/

en/

books/

porters-handbook/

security/

_index.adoc

15 lines

Diff 135836

View Options

documentation/content/en/books/porters-handbook/security/_index.adoc

Suggest port maintainers submit bugs for VuXML updates.Needs ReviewPublicActions