Date: Tue, 20 Dec 2005 12:03:15 +0100 From: Marwan Burelle <burelle@lri.fr> To: rihad <rihad@mail.ru> Cc: freebsd-stable@freebsd.org Subject: Re: ports security branch Message-ID: <20051220110315.GA66112@melkor.kh405.net> In-Reply-To: <43A7DA65.1020801@mail.ru> References: <43A7A3F7.7060500@mail.ru> <20051220083913.GA505@kierun.org> <43A7DA65.1020801@mail.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
--UugvWAfsgieZRqgk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Dec 20, 2005 at 02:18:13PM +0400, rihad wrote: > A very interesting script for its own purpose, but I'm afraid this=20 > doesn't answer my question at all. Perhaps seeing the way that e.g.=20 > Debian deals with the upgrade problem might shed some light on the=20 > issue. Hell, FreeBSD does exactly that for the base world+kernel, too!=20 > Not for the ports, though. That's a much more complex problem. IMHO, there's at least two kinds of ports : end-user apps and their related libs and services/system related tools. Security issues mostly appear in the second kind, the problem is that the dependancies tree is "too connex", some libs are needed by both kinds (just think to libs like ssl, gettext or expat =2E.. ) Relying on the maintainer work is a good starting point, you may trust him for doing only the needed updates for those ports that requier security concerns. But even here, major updates of widely used libs imply rebuild of most of the ports, even when no security issue arises. The "debian way" is too have a frozen tree and restraint updates, this induces at least a two level maintaining, one that follows "on-the-edge" updates and the other that only follow security updates. The problem is that most applications don't work like that, they don't maintain two branches, and thus you need (or the maintainer of the ports needs) to maintain a bunch of security patches for that app that doesn't have any dependance links (or at least only to other security updates ... ) This is a lot of work, and IMHO that's why debian stable is so often outdated (and some time completely obsolete.) This also raises questions like "when should we move to the next/last release ?", "Is that patch-set too important ?" ... My own experience shows me that most of the time when you only need security updates, that means that your boxe is "specialized" in some way with a small set of installed ports and thus every updates in the tree for those ports are relevant. Otherwise, you may want to have up to date ports because it's providing you with shiny new features ;) --=20 Marwan Burelle, http://www.lri.fr/~burelle ( burelle@lri.fr | Marwan.Burelle@ens.fr ) http://www.cduce.org --UugvWAfsgieZRqgk Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDp+TzI+2UvUKfgvgRAo5kAJwKcmnE6YyarlihW9ldaQxxJPVSoACcCF8X u++bgKJjeZbGkAWfBodYM6E= =BWMh -----END PGP SIGNATURE----- --UugvWAfsgieZRqgk--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051220110315.GA66112>