From owner-freebsd-security@FreeBSD.ORG  Tue May 23 15:53:01 2006
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9389416A726
	for <freebsd-security@freebsd.org>;
	Tue, 23 May 2006 15:53:01 +0000 (UTC)
	(envelope-from marquis@roble.com)
Received: from mx5.roble.com (mx5.roble.com [206.40.34.5])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E7A7D43D46
	for <freebsd-security@freebsd.org>;
	Tue, 23 May 2006 15:53:00 +0000 (GMT)
	(envelope-from marquis@roble.com)
Date: Tue, 23 May 2006 08:53:00 -0700 (PDT)
From: Roger Marquis <marquis@roble.com>
To: freebsd-security@freebsd.org
In-Reply-To: <20060523120100.37D2B16A54F@hub.freebsd.org>
Message-ID: <20060523083944.H96736@eboyr.pbz>
References: <20060523120100.37D2B16A54F@hub.freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Subject: Re: FreeBSD Security Survey
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 23 May 2006 15:53:04 -0000

Peter Jeremy wrote:
> One of the major problems with unattended/automatic updating is
> that it is hard to filter them.

It's hard to make a good case for automatic updates when manual
updates are so easy. The main area this could be improved on would
be in a daily report, emailed to root, detailing which installed
ports are out of date. We do this with a shell script
<http://www.roble.com/docs/cvsup-ports-rep>.

One issue with identifying out-of-date installed ports is the
port-version number. We usually ignore port-version-only updates
because it's difficult to tell what was changed and few changes
aren't detailed in /usr/ports/UPDATING.

Another issue has to do with policy regarding -release, -rc, -alpha
versioning. Too many ports maintainers think nothing of using
-pre-release versions that are usually not appropriate on -release
systems.

All that said FreeBSD's ports are still the reference
implementation, head-and-shoulders better than up2date, yum, rpm,
apt-get, or anything else out there.

-- 
Roger Marquis
Roble Systems Consulting
http://www.roble.com/