From owner-freebsd-chat@FreeBSD.ORG Wed Jan 17 09:14:40 2007 Return-Path: X-Original-To: freebsd-chat@freebsd.org Delivered-To: freebsd-chat@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 70FB216A412 for ; Wed, 17 Jan 2007 09:14:40 +0000 (UTC) (envelope-from jcw@highperformance.net) Received: from mx1.highperformance.net (dsl081-163-122.sea1.dsl.speakeasy.net [64.81.163.122]) by mx1.freebsd.org (Postfix) with ESMTP id 2D57E13C46A for ; Wed, 17 Jan 2007 09:14:39 +0000 (UTC) (envelope-from jcw@highperformance.net) Received: from [192.168.1.16] (w16.stradamotorsports.com [192.168.1.16]) by mx1.highperformance.net (8.13.8/8.13.8) with ESMTP id l0H9EWb0011170; Wed, 17 Jan 2007 01:14:33 -0800 (PST) (envelope-from jcw@highperformance.net) Message-ID: <45ADE8FA.7080300@highperformance.net> Date: Wed, 17 Jan 2007 01:14:34 -0800 From: "Jason C. Wells" User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: Stevan Tiefert References: <200701160525.22382.stevan-tiefert@t-online.de> In-Reply-To: <200701160525.22382.stevan-tiefert@t-online.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-4.4 required=2.5 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.1.6 X-Spam-Checker-Version: SpamAssassin 3.1.6 (2006-10-03) on s4.stradamotorsports.com Cc: freebsd-chat@freebsd.org Subject: Re: Security Patches for Port Applications in Releases X-BeenThere: freebsd-chat@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Non technical items related to the community List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Jan 2007 09:14:40 -0000 Stevan Tiefert wrote: > Hello list, > > I installed the new release 6.2 on my workstation. I installed also > portaudit > and run it immediatly afterwards. What have I to see? 5 vulnerable > packages > in my release. > The whole OSS community is a moving target. Security is not a static thing. For FreeBSD to select any given time to release software for OSS to be bug free is preposterous. Hence, you get vulnerable software even in the packages that are tagged with your release. > My questions: > - Why can I update FreeBSD with security-patches and the > Release-Packages have no security-patches? > The answer to the first part of your question is because FreeBSD decided to provide such a nice service. That only rolled out in version 4 I think. It used to be that you would track -stable. Now you get an even more conservative security update branch. The answer to the second part of your question is that the FreeBSD port maintainers are not the people fundamentally working on the security of the ports. Security patches would be produced by some third party. FreeBSD would need to spawn yet another CVS branch to maintain the security update branches of ports from those third parties. Yuck! Nothing prevents a user from downloading a specific port from -HEAD and upgrading it. You can do that or you can get the patches from the third party source and apply them yourself. Managing 13,000 third party applications to the level of detail that you inquire about is way beyond what I would ask of FreeBSD. What they do now is already extraordinary. > - What are then the advantages of release-packages/ports to > current-ports if I can not update release-packages with security-patches? > But you _can_ update the release-packages. It's just that some maintainer or the FreeBSD project won't make it brain dead simple like it is for updating the main branches. I personally run only so-called -release ports. The reason I do is it seems to reduce the amount of version dependency headaches I suffer. When I used to track the ports (which are in -head) with cvsup I would end up with 4 different versions of gmake, autoconf, libtool et al. Yuck! I think that's a good reason to run ports that are tagged with the current release. There's a lot more stability and a lot less work. That is advantage enough for me. > - Is an security-patch-update-system for release-packages/ports planned? One exists. It's just not as easy as it is for the main release branches. Release-packages is something of a misnomer anyway. A more pedantic but more accurate name would be "packages-that-just-happened-to-be-in-HEAD-when-we-pulled-the-release-switch-with-extra-care-given-to-gnome-and-kde". What I mean to say is that it is inappropriate to place any more trust or scrutiny on a release-package. The release-package distinction is almost entirely accidental. (yes, i know more care goes into ports near a release date) Later, Jason C. Wells