Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 10 Apr 2014 22:39:12 +0200
From:      John Marino <freebsd.contact@marino.st>
To:        Bryan Drewery <bdrewery@FreeBSD.org>, Janne Snabb <snabb@epipe.com>,  freebsd-ports@freebsd.org, freebsd security <freebsd-security@freebsd.org>
Subject:   Re: Missing binary package security updates?
Message-ID:  <53470170.6010401@marino.st>
In-Reply-To: <5346F98D.6030102@FreeBSD.org>
References:  <5346E459.3020207@epipe.com> <5346F98D.6030102@FreeBSD.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On 4/10/2014 22:05, Bryan Drewery wrote:
> On 4/10/2014 1:35 PM, Janne Snabb wrote:
>>
>> I think I have noticed binary package updates only about once a week. Is
>> my observation correct? Why such an infrequent update cycle? If there is
>> some real reason to build package updates so rarely, would it be
>> possible to hasten the cycle whenever serious issues like CVE-2014-0160
>> are found?
> 
> (I am involved in building the packages)
> 
> Yes packages currently start building Tuesday night. It takes until
> Saturday/Sunday for all release/arch to finish building. As each
> release/arch is finished the packages are uploaded.

I think there is also some misconceptions here.
There are over 24,000 packages.  Even with incremental building, one
week's worth of changes forces between 7000 and 15000 packages to
rebuild.  I assume some people think that touching 300 packages in a
week means only 300 packages need to be rebuilt, but the reality is that
it's hundreds.

Depending on the machines and how many there are, it could take multiple
days to make packages for just one platform.  If it takes two days and
there are 4 platforms to build, that's 8 days right there.

So the words "infrequent update cycle" I think is a signal that these
parameters aren't understood.

(Note, I am not involved in building FreeBSD packages)

>> Right now pkgng binary packages are not really suitable for production
>> use because of lacking essential security updates. (There should be a
>> loud and clear warning about this in the Handbook if it stays this way?)

What would make it better?
Even if somebody designed a particular vulnerability so important that
it merited an out of cycle build (and all the ripples that would cause)
it is still looking at 2-3 days cycle, minimum.  How many of these
security updates are "essential and can't wait 7 days?".  heartbleed
doesn't happen every day...  Depending on what is deemed acceptable, I
can't envision how binary packages (a courtesy ultimately) can be made
good enough from a security standpoint.

John



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53470170.6010401>