While there, add a missing word nearby and fix syntax for better readability.
Details
- Reviewers
carlavilla gjb riggs grahamperrin - Group Reviewers
docs ports secteam Ports Committers
make all
Check lynx output
Diff Detail
- Repository
- R9 FreeBSD doc repository
- Lint
No Lint Coverage - Unit
No Test Coverage - Build Status
Buildable 50161 Build 47053: arc lint + arc unit
Event Timeline
Side note: in a different chapter (out of scope for this review) there is, again, misuse of the phrase Security Officer Team.
https://docs.freebsd.org/en/books/porters-handbook/book/#makefile-maintainer
documentation/content/en/books/porters-handbook/security/_index.adoc | ||
---|---|---|
101–102 | The order of words is strange (for example, as early after a security vulnerability is discovered as possible). Also, re: discovery, port users should be notified only if a vulnerability is already publicly disclosed. | |
108–109 | Security Officer is not a team. Also, conciseness. | |
110–111 | Security Officer is not a team. | |
111 | Do you mean, a bug report with a summary line something like what's below?
| |
111–113 | Security Officer is not a team. |
If a bug report involves a publicly-disclosed vulnerability for which there's not yet a VuXML entry, then the report should have:
- ports-secteam@ amongst CC recipients
- keyword security
- flag merge-quarterly set to ?
- priority maximised, to Normal
- severity maximised, to Affects Many People.
Also: why do we encourage addressing the Security Team, or Security Officer, without mentioning the (more relevant) Ports Security Team?
Good questions all. Waiting for a ports secteam member to address them so I can revise this usefully.
documentation/content/en/books/porters-handbook/security/_index.adoc | ||
---|---|---|
108–109 | Generally, here and all the other places in the doc: I'd mention both the Security Team (#t-secteam) and Ports Security Team(#t-ports-secteam). Our vuxml page (https://vuxml.freebsd.org/freebsd/index.html) contains both base system and ports vulnerabilities. |
Updated patch to follow after it finishes building and I look it over.
documentation/content/en/books/porters-handbook/security/_index.adoc | ||
---|---|---|
101–102 | Agreed to both, but out of scope. | |
108–109 | Do you mean mention both where either is mentioned? Otherwise there's only here, unless I missed something. | |
111 | Yes. |
documentation/content/en/books/porters-handbook/security/_index.adoc | ||
---|---|---|
111–113 |
Sorry: I'm mistaken here (and might have made the same mistake elsewhere). I learnt to treat https://www.freebsd.org/administration/#t-secteam as authoritative, there's no Officer Team. Later discovered, Security Officer Team does exist at https://gitlab.com/FreeBSD/freebsd-doc/-/blob/9587d12749acb8edfdb8ea771e72631592050900/shared/en/teams.adoc?plain=1#L86-88: text :security-officer-name: Security Officer Team :security-officer-email: security-officer@FreeBSD.org :security-officer: {security-officer-name} <{security-officer-email}> Historically (2002): https://cgit.freebsd.org/doc/commit/?id=798336ef5cff10c92f5ba3d06b21f633734a7e1e
|
Side notes:
- link: prefixes make proofreading more difficult for me.
- at one point I had to click New Inline Comment (pictured below) four times before the comment field appeared.
documentation/content/en/books/porters-handbook/security/_index.adoc | ||
---|---|---|
109 | Be explicit, so that the first sight of _Security Team_ in the context of porting is not misinterpreted as the FreeBSD Ports Security Team. | |
111 | ||
113 | ||
113 | https://www.freebsd.org/security/#how is wrong. Nearby https://www.freebsd.org/security/#reporting might be better, however it contradicts what's drafted here; there's no mention of the FreeBSD Ports Security Team. |
documentation/content/en/books/porters-handbook/security/_index.adoc | ||
---|---|---|
109 | I can't reconcile your request with the one above it by @riggs, which I think asks me to mention Ports Security instead. Which should it be? | |
113 | Made it clearer that "as described on..." applies to contacting the security team only, not the ports security team. |
- Address edit comments by riggs and grahamperrin
- More revisions after grahamperrin feedback.
Still waiting for feedback on how to reconcile incompatible requests, which I think is the only thing holding this at this time.
documentation/content/en/books/porters-handbook/security/_index.adoc | ||
---|---|---|
109 |
*ping* @riggs @grahamperrin |
I don't think I can/should answer … I mean, don't think of me as blocking anything here …