From owner-freebsd-ports@FreeBSD.ORG  Thu Apr 10 18:35:52 2014
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: freebsd-ports@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id B7B84F85;
 Thu, 10 Apr 2014 18:35:52 +0000 (UTC)
Received: from angkar.epipe.com (angkar.epipe.com [IPv6:2a01:4f8:d15:583::2])
 (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 765CF14A1;
 Thu, 10 Apr 2014 18:35:52 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=epipe.com;
 s=default; 
 h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID;
 bh=ufYYIoxOlS+52zd0YEm2Tg3/UWYFm9/js6b0m+ggBPI=; 
 b=VMeybeJMT1rYRzlq9XVlKQrCVEaqfwkpHyn6ErcX24j0r97mJ958Th/JojpLyt387qLf00FBNXamY6wqIJTFpgNR97byP0XIgOwL630g5c0SiryCB5bIeeE2dUz2BWXrk8/ZfzAkh1U5j9IQnf5G4JjLrzlxwngbxOJnnWbDGnY=;
Received: by angkar.epipe.com with esmtpsa
 (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80)
 (envelope-from <snabb@epipe.com>)
 id 1WYJpE-0003Pw-AA; Thu, 10 Apr 2014 18:35:48 +0000
Message-ID: <5346E459.3020207@epipe.com>
Date: Thu, 10 Apr 2014 21:35:05 +0300
From: Janne Snabb <snabb@epipe.com>
MIME-Version: 1.0
To: freebsd-ports@freebsd.org, freebsd security <freebsd-security@freebsd.org>
Subject: Missing binary package security updates?
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Apr 2014 18:35:52 -0000

Hi,

I recently started using the new fancy pkgng binary packages on some
machines that I maintain. I thought I could save a lot of time as I
would not need to keep compiling ports manually any more.

Unfortunately it seems that it was not such a good idea:

# date
Thu Apr 10 21:27:22 EEST 2014
# pkg audit
openssl-1.0.1_9 is vulnerable:
OpenSSL -- Multiple vulnerabilities - private data exposure
CVE: CVE-2014-0076
CVE: CVE-2014-0160
WWW: http://portaudit.FreeBSD.org/5631ae98-be9e-11e3-b5e3-c80aa9043978.html

1 problem(s) in the installed packages found.
# pkg upgrade
Updating repository catalogue
Nothing to do
#

This is on FreeBSD 8/i386.

I think I have noticed binary package updates only about once a week. Is
my observation correct? Why such an infrequent update cycle? If there is
some real reason to build package updates so rarely, would it be
possible to hasten the cycle whenever serious issues like CVE-2014-0160
are found?

Right now pkgng binary packages are not really suitable for production
use because of lacking essential security updates. (There should be a
loud and clear warning about this in the Handbook if it stays this way?)

Best Regards,
-- 
Janne Snabb
snabb@epipe.com