From owner-freebsd-questions@FreeBSD.ORG Mon Jan 14 13:10:41 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 7497E335 for ; Mon, 14 Jan 2013 13:10:41 +0000 (UTC) (envelope-from andrei693@gmail.com) Received: from mail-la0-f44.google.com (mail-la0-f44.google.com [209.85.215.44]) by mx1.freebsd.org (Postfix) with ESMTP id EF0667F1 for ; Mon, 14 Jan 2013 13:10:40 +0000 (UTC) Received: by mail-la0-f44.google.com with SMTP id fr10so3837679lab.31 for ; Mon, 14 Jan 2013 05:10:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=R+/0u+X7A6ga+5CulDLeLEzLTEpxPPdJhVyvzRfB54E=; b=GOf+qs2tzoklkyUSycc+Nro/q4+ditZhtTstxV5lfoxjYWfmZnree21nJ1BNXCwu1F dhFdT3BQb2IDUogrcwK4brlgTMa17KPdQhSC+HchQZfcXiX9zZUss3krRIYyejbQdlat Z1b2i2YV4wSdi7HZUBUCkiifOuKC1CUy5K2jN8NPcP9+5wsKaysjYgjnP2wBxRj0Cr62 Xfoe72oaKLVGVjlwHFshMAWRxO/fIFdBFNQuaPwJzLPS9+tMKI/scNpzGEOZW60SAEEP UshgIM1dgGZsOmsa5BcmDisDFaZzt44qzkfY0XXTz58N/3zf4CGb/4Fo1l4eQDoQT5zr HX7A== X-Received: by 10.152.125.240 with SMTP id mt16mr82020600lab.17.1358169039230; Mon, 14 Jan 2013 05:10:39 -0800 (PST) Received: from [127.0.0.1] ([87.213.55.5]) by mx.google.com with ESMTPS id hq9sm5257240lab.8.2013.01.14.05.10.37 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 14 Jan 2013 05:10:38 -0800 (PST) Message-ID: <50F403C6.1030705@gmail.com> Date: Mon, 14 Jan 2013 14:10:30 +0100 From: Andrei Brezan User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20120713 Thunderbird/14.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Re: pkgng package repository tracking security updates References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jan 2013 13:10:41 -0000 On 1/14/2013 1:07 PM, n j wrote: > Hi, > > One of my primary concerns when managing a system is its security. In the > interest of security, I usually hold to that "patch early, patch often". > Ports are kept well up-to-date and with portmaster it is not a problem to > keep updating the ports. However, as Ivan [1] pointed out on his blog on > pkgng: > > "Having source-based ports is all fine and well but all that time compiling > ports is subtracted from the time the server(s) would perform some actually > useful work. After all, servers exist to do some work, not to be waited on > while compiling. The same goes for me: I don't want to wait for ports > anymore." > > I don't want to wait for compilation too, especially on large ports and > weak hardware, and do it often to stay on top of security vulnerabilities. > For that reason I look forward to binary packages. > > So, my question regarding pkgng is not really about the tool itself, but > rather what will be provided via official repositories. One of the problems > with the old pkg_* tools was that packages for a lot of software didn't > exist and for those that did exist they weren't updated when > vulnerabilities were discovered and patched upstream (and in ports). Is > this going to improve with pkgng repositories, will there be a, say, > -SECURITY repository that will build the new version of packages at least > as often as security vulnerabilities are fixed in ports? > > [1] http://ivoras.net/blog/tree/2012-08-31.using-pkgng-in-real-life.html > > Regards, Hi Nino, I thing that it's good to wait for ports to compile and to be able to chose your configure options for the packages you install. It's good to know what options you need and what options you don't and why, that's one of the reasons why i'm using FreeBSD. I feel that the goal for pkgng is that you can install your locally built binary packages in a tinderbox on all your infrastructure so you don't have to compile every port on every server. IIRC it was considered too cumbersome to compile all the ports tree for all the architectures supported and provide the so called official binary repositories. Regards, Andrei