Date: Wed, 17 Jan 2007 09:08:04 +0100 (CET) From: Oliver Fromme <olli@lurza.secnetix.de> To: freebsd-chat@FreeBSD.ORG, stevan-tiefert@t-online.de Subject: Re: Security Patches for Port Applications in Releases Message-ID: <200701170808.l0H884Jb080320@lurza.secnetix.de> In-Reply-To: <200701160447.48313.stevan-tiefert@t-online.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Stevan Tiefert wrote: > I installed the new release 6.2 on my workstation. I installed also portaudit > and run it immediatly afterwards. What have I to see? 5 vulnerable packages > in my release. What was your installation source? I noticed that there are a lot of stale packages on ftp.de.freebsd.org (which is probably used as mirroring source for some of the other ftp*.de servers). I assume the maintainer of that mirror forgot to re-sync after a few packages have been updated in the past months. For FTP-based installations within .de I recommend to use ftp7.de.freebsd.org which re-syncs regularly directly from the European master server. It is up to date and does not have those stale packages. Of course, there might be other reasons why your particular packagess are reported as vulnerable (last but not least, limited man-power of the ports team; after all there are more than 16000 ports to maintain). The advantage of the release ports is the fact that they have been tested and scrutinized for a long time, and it is assumed that they work in a stable manner, especially the more important and complex ones, such as the office suites and the popular graphical desktop systems. It is clear, however, that it means that you will not always find the latest versions in the release ports. Of course, you can always choose to update your ports to the most up-to-date version (called "current" or "HEAD"). The ports time usually tries to make sure that they still work on the latest FreeBSD release. Just use the cvsup file /usr/share/examples/cvsup/ports-supfile, insert a cvsup server (e.g. cvsup.de.freebsd.org) and run cvsup. If you prefer to install pre-compiled packages, you can look at an FTP server (mirror) in the appropriate stable directory (/pub/FreeBSD/ports/i386/packages-6-stable) to get newer packages. They should run fine under the latest release. (Of course, you can chose to update your base system to 6-stable, too, if you like.) I hope that answers some of your questions. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "I learned Java 3 years before Python. It was my language of choice. It took me two weekends with Python before I was more productive with it than with Java." -- Anthony Roberts
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200701170808.l0H884Jb080320>