From owner-freebsd-stable@FreeBSD.ORG Wed Jan 23 21:55:33 2013 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 161CB9A for ; Wed, 23 Jan 2013 21:55:33 +0000 (UTC) (envelope-from jdc@koitsu.org) Received: from qmta03.emeryville.ca.mail.comcast.net (qmta03.emeryville.ca.mail.comcast.net [IPv6:2001:558:fe2d:43:76:96:30:32]) by mx1.freebsd.org (Postfix) with ESMTP id F24F3283 for ; Wed, 23 Jan 2013 21:55:32 +0000 (UTC) Received: from omta17.emeryville.ca.mail.comcast.net ([76.96.30.73]) by qmta03.emeryville.ca.mail.comcast.net with comcast id rQ7H1k0021afHeLA3ZvYx9; Wed, 23 Jan 2013 21:55:32 +0000 Received: from koitsu.strangled.net ([67.180.84.87]) by omta17.emeryville.ca.mail.comcast.net with comcast id rZvX1k01B1t3BNj8dZvYUE; Wed, 23 Jan 2013 21:55:32 +0000 Received: by icarus.home.lan (Postfix, from userid 1000) id D41A773A1C; Wed, 23 Jan 2013 13:55:31 -0800 (PST) Date: Wed, 23 Jan 2013 13:55:31 -0800 From: Jeremy Chadwick To: crees@freebsd.org Subject: Re: svn - but smaller? Message-ID: <20130123215531.GA13217@icarus.home.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20121106; t=1358978132; bh=QBbSZmaoI1OBSeO9vnjyXZEErAXnHiEQqgHddbU2T1k=; h=Received:Received:Received:Date:From:To:Subject:Message-ID: MIME-Version:Content-Type; b=SeNxMnM5aTy7hVWr+GJ5PoAt6j2lv/azfebVj02nSIsKh6m2U/0OiBOGtF0KC8ONF n2ekRKPoxdSMAsYSoF81kwLQa8DQ4yE8Ndn0+/S36VCRV1vdGtOTohBkcMt0gUP88F tgG12URGhtq+1R4o/6J6BicBKZQGfOCVzr7WhII2BrmWvS/Id75WYm3G4pmrPhZXWF gQzZV2gWtZalPzANbgbBehvE/lDUIOTK1ylyrodoqyyHLShzpvfZnEJAboe+puR9Q/ 3L7dCa0xkjTl8iNv4S/aDoZGlyeae4drzMQnO+DQ1Pzua97HtpqT1sUNuGhlwNg2OB 1JDDQlfkVVnvA== Cc: freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jan 2013 21:55:33 -0000 (Please keep me CC'd as I'm not subscribed to the list) > Great idea; > > http://www.bayofrum.net/~crees/patches/svn-static.diff > > Lev, do you mind if I commit this? I haven't touched the subversion > port, but it'll have you as maintainer :) > > If you prefer, I don't mind maintaining this. As I understand it this patch would induce the build cluster to build subversion-static.tbz (eventually) and put it on the package servers. So what happens when one of the underlying dependencies that you've included statically (those would possibly be: Oracle/SleepyCat DB, APR, expat, sqlite3, neon, gettext, and iconv) have security holes or major bugs found/addressed in them? As I understand it -- based on history -- the packages on the FTP servers get updated "whenever". My other post shows some haven't been updated in months (and yes I'm aware of the security incident). So how long would a key piece of software containing insecure statically-linked libraries be on the FTP servers? How would the port maintainer(s) even know the libraries/software which subversion is dependent upon had been updated, thus requiring a new subversion package to be pushed out to the package servers ASAP (i.e. immediately, not days, weeks, or months)? My point: ports have always been "best-effort". They are advertised vehemently throughout "everything FreeBSD" as being third-party software and therefore . Yet now critical pieces to FreeBSD development (and now end-users too, as a result of using the security incident to push SVN) rely upon something in ports. That's quite a conundrum the Project has created for itself, an ouroboros of sorts. -- | Jeremy Chadwick jdc@koitsu.org | | UNIX Systems Administrator http://jdc.koitsu.org/ | | Mountain View, CA, US | | Making life hard for others since 1977. PGP 4BD6C0CB |