Bug 197312 - Add ports-secteam@ to the instructions page for reporting security vulnerabilities
Summary: Add ports-secteam@ to the instructions page for reporting security vulnerabil...
Status: Closed FIXED
Alias: None
Product: Documentation
Classification: Unclassified
Component: Website (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Jason Helfman
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-02-04 03:43 UTC by rsimmons0
Modified: 2015-03-26 02:18 UTC (History)
2 users (show)

See Also:

Attachments
add the ports-secteam@ address to the reporting instructions (648 bytes, text/plain)
2015-02-04 03:43 UTC, rsimmons0 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description rsimmons0 2015-02-04 03:43:41 UTC 
Created attachment 152539 [details]
add the ports-secteam@ address to the reporting instructions

The ports-secteam@ address should be listed on the page for instructions about reporting security issues. Perhaps the team and its members should be added to the list of admin teams as well.

I've attached a patch to the page en_US.ISO8859-1/htdocs/security/reporting.xml

I'm not sure who the members of the team are, so I have not included an update to the following page:
https://www.freebsd.org/administration.html#t-secteam
Comment 1 Benjamin Kaduk freebsd_committer freebsd_triage 2015-02-04 17:24:37 UTC 
It's unclear to me that advertising the ports security team is useful until they have a published PGP key to use.  I am certainly not going to give advance notice of a vulnerability in software for which I am the upstream of a FreeBSD port via cleartext email!
Comment 2 rsimmons0 2015-02-04 17:33:06 UTC 
Please pardon my ignorance, but do the ports-secteam members not use the sec officer key, or is that restricted to the secteam only?

My original suggestion was based on the assumption that they do.
Comment 3 rsimmons0 2015-02-04 17:36:46 UTC 
My original suggestion was also based on an email conversation with secteam@ where I was pointed to the ports-secteam@ address as a better place to report ports security problems the next time I do. I was, however, following the directions on the en_US.ISO8859-1/htdocs/security/reporting.xml page on the website which at the moment has no mention of ports-secteam@.

My basis for the change in that page is to put the information that I received from secteam into the reporting instructions.

I totally agree with your hesitation based on cleartext email.
Comment 4 Benjamin Kaduk freebsd_committer freebsd_triage 2015-02-04 18:40:09 UTC 
(In reply to rsimmons0 from comment #2)

Well, I am not on either team so I cannot speak with complete certainty, but generally a PGP key has as part of it one or more uids, which correspond to email addresses.  PGP email software generally makes it hard to use a given key to encrypt mail to a given email address when that address is not a uid of the key.  So, I do not expect that the teams share the same key.
Comment 5 commit-hook freebsd_committer freebsd_triage 2015-03-26 02:17:33 UTC 
A commit references this bug:

Author: jgh
Date: Thu Mar 26 02:17:22 UTC 2015
New revision: 46381
URL: https://svnweb.freebsd.org/changeset/doc/46381

Log:
  - add reporting instructions to security page for ports collection issues

  PR:		197312 (based on)
  Differential Revision:	https://reviews.freebsd.org/D1904
  Submitted by:	rsimmons0@gmail.com
  Reviewed by:	bjk, wblock
  Approved by:	wblock (mentor)

Changes:
  head/en_US.ISO8859-1/htdocs/security/reporting.xml