Date: Thu, 24 Jan 2013 16:17:37 +0000 From: Chris Rees <utisoft@gmail.com> To: Jeremy Chadwick <jdc@koitsu.org> Cc: Chris Rees <crees@freebsd.org>, FreeBSD <freebsd-stable@freebsd.org> Subject: Re: svn - but smaller? Message-ID: <CADLo839nVCPg%2BswGPNZ_E5Gc5qE-zysoiznhWaYeaJ%2Br8sM4Pg@mail.gmail.com> In-Reply-To: <20130123215531.GA13217@icarus.home.lan> References: <20130123215531.GA13217@icarus.home.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
On 23 Jan 2013 21:55, "Jeremy Chadwick" <jdc@koitsu.org> wrote: > > (Please keep me CC'd as I'm not subscribed to the list) > > > Great idea; > > > > http://www.bayofrum.net/~crees/patches/svn-static.diff > > > > Lev, do you mind if I commit this? I haven't touched the subversion > > port, but it'll have you as maintainer :) > > > > If you prefer, I don't mind maintaining this. > > As I understand it this patch would induce the build cluster to build > subversion-static.tbz (eventually) and put it on the package servers. > > So what happens when one of the underlying dependencies that you've > included statically (those would possibly be: Oracle/SleepyCat DB, APR, > expat, sqlite3, neon, gettext, and iconv) have security holes or major > bugs found/addressed in them? The package would be updated on the next build, since a dependency changed. > As I understand it -- based on history -- the packages on the FTP > servers get updated "whenever". My other post shows some haven't been > updated in months (and yes I'm aware of the security incident). That's why, so for normal use it's irrelevant. > So how long would a key piece of software containing insecure > statically-linked libraries be on the FTP servers? No longer than any other package. > How would the port maintainer(s) even know the libraries/software which > subversion is dependent upon had been updated, thus requiring a new > subversion package to be pushed out to the package servers ASAP (i.e. > immediately, not days, weeks, or months)? > > My point: ports have always been "best-effort". They are advertised > vehemently throughout "everything FreeBSD" as being third-party software > and therefore <infinite list of caveats>. Yet now critical pieces to > FreeBSD development (and now end-users too, as a result of using the > security incident to push SVN) rely upon something in ports. That's > quite a conundrum the Project has created for itself, an ouroboros of > sorts. This is not intended as general use for everyone, it's intended as a shortcut when building a new machine or anything else. I'll put a big warning in pkg message :) Chris
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADLo839nVCPg%2BswGPNZ_E5Gc5qE-zysoiznhWaYeaJ%2Br8sM4Pg>