On Jan 9, 2018, at 12:27 PM, Perry E. Metzger <[email protected]> wrote: > Am I correct in assuming that as things stand, we mostly depend on > port owners to track security updates on behalf of the project and > that there isn't a security officer or any such thing? (Not > complaining, just seeking clarification.)
Yes. Unless/until someone volunteers as security officer. Way back when we first instituted the regular vs. openmaintainer policy we decided that security updates fall in the 'anyone with commit access can push them' category - so in theory any committer can/should update any port that has a security update. -- Daniel J. Luke
