While on the subject of ports and packages, a security
vulnerability may initially appear in the original distribution
or in the port files. In the former case, the original software
developer is likely to release a patch or a new version
instantly. Update the port promptly
with respect to the author's fix. If the fix is delayed for
some reason, either
mark the port as
FORBIDDEN
or introduce a patch file
to the port. In the case of a vulnerable port, just
fix the port as soon as possible. In either case, follow
the standard procedure for
submitting changes unless having
rights to commit it directly to the ports tree.
Being a ports committer is not enough to commit to an arbitrary port. Remember that ports usually have maintainers, must be respected.
Please make sure that the port's revision is bumped as soon
as the vulnerability has been closed. That is how the users who
upgrade installed packages on a regular basis will see they need
to run an update. Besides, a new package will be built and
distributed over FTP and WWW mirrors, replacing the vulnerable
one. Bump PORTREVISION
unless
DISTVERSION
has changed in the course of
correcting the vulnerability. That is, bump
PORTREVISION
if adding a patch file
to the port, but do not bump it if updating the port to
the latest software version and thus already touched
DISTVERSION
. Please refer to the
corresponding
section for more information.
All FreeBSD documents are available for download at https://download.freebsd.org/ftp/doc/
Questions that are not answered by the
documentation may be
sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.