Page MenuHomeFreeBSD

Suggest port maintainers submit bugs for VuXML updates.
Needs ReviewPublic

Authored by pauamma_gundo.com on Oct 23 2022, 12:52 AM.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Mar 19, 2:35 PM
Unknown Object (File)
Feb 16 2024, 9:38 AM
Unknown Object (File)
Jan 18 2024, 8:19 AM
Unknown Object (File)
Dec 20 2023, 5:41 AM
Unknown Object (File)
Dec 13 2023, 3:35 AM
Unknown Object (File)
Nov 16 2023, 2:06 PM
Unknown Object (File)
Nov 5 2023, 8:09 AM
Unknown Object (File)
Oct 15 2023, 1:02 PM

Details

Summary

While there, add a missing word nearby and fix syntax for better readability.

Test Plan

make all

Check lynx output

Diff Detail

Repository
R9 FreeBSD doc repository
Lint
No Lint Coverage
Unit
No Test Coverage
Build Status
Buildable 56650
Build 53538: arc lint + arc unit

Event Timeline

pauamma_gundo.com created this revision.

Anything I should do to move this along?

Side note: in a different chapter (out of scope for this review) there is, again, misuse of the phrase Security Officer Team.

https://docs.freebsd.org/en/books/porters-handbook/book/#makefile-maintainer

documentation/content/en/books/porters-handbook/security/_index.adoc
100–102

The order of words is strange (for example, as early after a security vulnerability is discovered as possible).

Also, re: discovery, port users should be notified only if a vulnerability is already publicly disclosed.

108–109

Security Officer is not a team.

Also, conciseness.

110–111

Security Officer is not a team.

111

Do you mean, a bug report with a summary line something like what's below?

security/vuxml: create an entry for category/portname

111–114

Security Officer is not a team.

If a bug report involves a publicly-disclosed vulnerability for which there's not yet a VuXML entry, then the report should have:

  • ports-secteam@ amongst CC recipients
  • keyword security
  • flag merge-quarterly set to ?
  • priority maximised, to Normal
  • severity maximised, to Affects Many People.

Also: why do we encourage addressing the Security Team, or Security Officer, without mentioning the (more relevant) Ports Security Team?

Good questions all. Waiting for a ports secteam member to address them so I can revise this usefully.

In D37094#866667, @pauamma wrote:

Good questions all. Waiting for a ports secteam member to address them so I can revise this usefully.

ping ports secteam

In D37094#882796, @pauamma wrote:
In D37094#866667, @pauamma wrote:

Good questions all. Waiting for a ports secteam member to address them so I can revise this usefully.

ping ports secteam

Will take a look, thanks for the reminder.

riggs requested changes to this revision.Feb 28 2023, 8:12 AM
riggs added inline comments.
documentation/content/en/books/porters-handbook/security/_index.adoc
108–109

Generally, here and all the other places in the doc: I'd mention both the Security Team (#t-secteam) and Ports Security Team(#t-ports-secteam). Our vuxml page (https://vuxml.freebsd.org/freebsd/index.html) contains both base system and ports vulnerabilities.
While the project admin page says that the Security Team is looking after src and ports, it also says the Ports Security Team is focused on ports, hence it will look after security/vuxml in the ports tree (and is the official maintainer of this port as per security/vuxml/Makefile).
So I'd contact ports-secteam@ first when there is something about security/vuxml that needs to be resolved.

This revision now requires changes to proceed.Feb 28 2023, 8:12 AM

Updated patch to follow after it finishes building and I look it over.

documentation/content/en/books/porters-handbook/security/_index.adoc
100–102

Agreed to both, but out of scope.

108–109

Do you mean mention both where either is mentioned? Otherwise there's only here, unless I missed something.

111

Yes.

pauamma_gundo.com marked an inline comment as done.
  • Address edit comments by riggs and grahamperrin
documentation/content/en/books/porters-handbook/security/_index.adoc
111–114

Security Officer is not a team.

Sorry: I'm mistaken here (and might have made the same mistake elsewhere).


I learnt to treat https://www.freebsd.org/administration/#t-secteam as authoritative, there's no Officer Team.

Later discovered, Security Officer Team does exist at https://gitlab.com/FreeBSD/freebsd-doc/-/blob/9587d12749acb8edfdb8ea771e72631592050900/shared/en/teams.adoc?plain=1#L86-88:

text
:security-officer-name: Security Officer Team
:security-officer-email: security-officer@FreeBSD.org
:security-officer: {security-officer-name} <{security-officer-email}>

Historically (2002): https://cgit.freebsd.org/doc/commit/?id=798336ef5cff10c92f5ba3d06b21f633734a7e1e

For consistency: s/Security Officers Team/Security Officer Team/

ping @riggs @grahamperrin Is either of you waiting for more changes from me?

Side notes:

  • link: prefixes make proofreading more difficult for me.
  • at one point I had to click New Inline Comment (pictured below) four times before the comment field appeared.

image.png (534×715 px, 84 KB)

documentation/content/en/books/porters-handbook/security/_index.adoc
109

Be explicit, so that the first sight of _Security Team_ in the context of porting is not misinterpreted as the FreeBSD Ports Security Team.

111–114
113
113

https://www.freebsd.org/security/#how is wrong.

Nearby https://www.freebsd.org/security/#reporting might be better, however it contradicts what's drafted here; there's no mention of the FreeBSD Ports Security Team.

This revision now requires changes to proceed.Jun 18 2023, 1:09 PM
pauamma_gundo.com added inline comments.
documentation/content/en/books/porters-handbook/security/_index.adoc
109

I can't reconcile your request with the one above it by @riggs, which I think asks me to mention Ports Security instead. Which should it be?

113

Made it clearer that "as described on..." applies to contacting the security team only, not the ports security team.

pauamma_gundo.com marked an inline comment as done.
  • Address edit comments by riggs and grahamperrin
  • More revisions after grahamperrin feedback.

Still waiting for feedback on how to reconcile incompatible requests, which I think is the only thing holding this at this time.

documentation/content/en/books/porters-handbook/security/_index.adoc
109

I can't reconcile your request with the one above it by @riggs, which I think asks me to mention Ports Security instead. Which should it be?

*ping* @riggs @grahamperrin

I don't think I can/should answer … I mean, don't think of me as blocking anything here …

I'm gonna send an email to ping the Security Team.

I'm gonna send an email to ping the Security Team.

Did they answer your ping?

pauamma_gundo.com added inline comments.
documentation/content/en/books/porters-handbook/security/_index.adoc
100–102

On second thought, fixing syntax. The other one is above my pay grade.

113

Done as 2 sentences.

pauamma_gundo.com marked an inline comment as done.
  • Address (I think) all pending review comments.
pauamma_gundo.com edited the test plan for this revision. (Show Details)