Date: Wed, 17 Jan 2007 18:33:00 +0200 From: Ion-Mihai "IOnut" Tetcu <itetcu@FreeBSD.org> To: "Jason C. Wells" <jcw@highperformance.net> Cc: Stevan Tiefert <stevan-tiefert@t-online.de>, freebsd-chat@freebsd.org Subject: Re: Security Patches for Port Applications in Releases Message-ID: <20070117183300.1457a9df@it.buh.tecnik93.com> In-Reply-To: <45ADE8FA.7080300@highperformance.net> References: <200701160525.22382.stevan-tiefert@t-online.de> <45ADE8FA.7080300@highperformance.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--Sig_jj_NZkjTx/kxk.2Uy2c/mjW Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Wed, 17 Jan 2007 01:14:34 -0800 "Jason C. Wells" <jcw@highperformance.net> wrote: [ .. a lot of true and nice things .. ] > I personally run only so-called -release ports. The reason I do is > it seems to reduce the amount of version dependency headaches I > suffer. When I used to track the ports (which are in -head) with > cvsup I would end up with 4 different versions of gmake, autoconf, > libtool et al. Yuck! I think that's a good reason to run ports that > are tagged with the current release. There's a lot more stability > and a lot less work. That is advantage enough for me. Actually the multiple versions of auto* didn't have anything to do with release packages or anything else. We just had a ports that did build only with a specific version (and some hacks in our framework). A lot of work has been put in simplifying this. > > - Is an security-patch-update-system for release-packages/ports > > planned? =20 No. We just don't have the human and hardware resources. If you really need that and want to pay for it some of us would be willing to do it (for a limited number of ports). > One exists. It's just not as easy as it is for the main release > branches. >=20 > Release-packages is something of a misnomer anyway. A more pedantic > but more accurate name would be=20 > "packages-that-just-happened-to-be-in-HEAD-when-we-pulled-the-release-swi= tch-with-extra-care-given-to-gnome-and-kde". =20 Not exactly. There's a lot of extra work put in before and during the ports freeze to make sure the ports are in the best condition possible and those that need to be are marked broken. We try to concentrate more on bug-fixing that on updates or new ports. > What I mean to say is that it is inappropriate to place any more > trust or scrutiny on a release-package. The release-package > distinction is almost entirely accidental. [...] Actually there's an other thing: the release packages/ports are "guaranteed" to work on that release (at least in theory). But no such thing exists for the ports at any given time, ie. ports/packages from today 12:00 UTC are required to work on today 12:00 UTC supported -STABLE branches and not on any supported -REALEASE or -SECURITY. --=20 IOnut - Un^d^dregistered ;) FreeBSD "user" "Intellectual Property" is nowhere near as valuable as "Intellect" BOFH excuse #422: Someone else stole your IP address, call the Internet detectives! --Sig_jj_NZkjTx/kxk.2Uy2c/mjW Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFFrk+8BX6fi0k6KXsRAjJbAKCIN+AzpwiIbMeFIqrSHmBd1b6iiwCfclFn Kopoxa4PznpqS+Dygbbce84= =jVNZ -----END PGP SIGNATURE----- --Sig_jj_NZkjTx/kxk.2Uy2c/mjW--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070117183300.1457a9df>