Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 10 Apr 2014 15:05:33 -0500
From:      Bryan Drewery <bdrewery@FreeBSD.org>
To:        Janne Snabb <snabb@epipe.com>, freebsd-ports@freebsd.org, freebsd security <freebsd-security@freebsd.org>
Subject:   Re: Missing binary package security updates?
Message-ID:  <5346F98D.6030102@FreeBSD.org>
In-Reply-To: <5346E459.3020207@epipe.com>
References:  <5346E459.3020207@epipe.com>

next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--NHBbLboAnfNiJilJHEDhm9VMCsLtOGhU6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 4/10/2014 1:35 PM, Janne Snabb wrote:
> Hi,
>=20
> I recently started using the new fancy pkgng binary packages on some
> machines that I maintain. I thought I could save a lot of time as I
> would not need to keep compiling ports manually any more.
>=20
> Unfortunately it seems that it was not such a good idea:
>=20
> # date
> Thu Apr 10 21:27:22 EEST 2014
> # pkg audit
> openssl-1.0.1_9 is vulnerable:
> OpenSSL -- Multiple vulnerabilities - private data exposure
> CVE: CVE-2014-0076
> CVE: CVE-2014-0160
> WWW: http://portaudit.FreeBSD.org/5631ae98-be9e-11e3-b5e3-c80aa9043978.=
html
>=20
> 1 problem(s) in the installed packages found.
> # pkg upgrade
> Updating repository catalogue
> Nothing to do
> #
>=20
> This is on FreeBSD 8/i386.
>=20
> I think I have noticed binary package updates only about once a week. I=
s
> my observation correct? Why such an infrequent update cycle? If there i=
s
> some real reason to build package updates so rarely, would it be
> possible to hasten the cycle whenever serious issues like CVE-2014-0160=

> are found?

(I am involved in building the packages)

Yes packages currently start building Tuesday night. It takes until
Saturday/Sunday for all release/arch to finish building. As each
release/arch is finished the packages are uploaded.

I did want to expedite updating this package but was blocked by a number
of things. I regret we did not, and will not, have a package available
sooner for all release/archs.

I have started an internal discussion on building packages more
frequently for security updates.

>=20
> Right now pkgng binary packages are not really suitable for production
> use because of lacking essential security updates. (There should be a
> loud and clear warning about this in the Handbook if it stays this way?=
)
>=20
> Best Regards,
>=20


--=20
Regards,
Bryan Drewery


--NHBbLboAnfNiJilJHEDhm9VMCsLtOGhU6
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTRvmNAAoJEDXXcbtuRpfPdHIH/0OLeUDa5/rd2OGRkfzAhYRK
2+iflU9p5JYy0hKYVWo6h8qcjT6Ask/7DkFVYMqoJ1S0YUa07CqpSjWKIfArh4nW
aJKm5YORcwwY5RJCcc3+W0ykEvWmB2DlqIPZHXB3Y8TcaC9C2+N4K3eKOp7GUDE/
fNcvTJUBAq/z5JiDNUVmLC1hZXoYeEq+WP1T7jnWYbDBNCkEtzjpchUAnkX7fzbC
UsWZSOMsRPpTYmdG9FHmneUVKQOWr8vEPOH7CQdQej9aLn8UhaotDimLQlTfy/K1
KIm6pw4DP+CYOa3uBGdLmMcCxcGOwuEKJsasmO1b7YCyMLOFm8V84Is3gT+qDZQ=
=mVxs
-----END PGP SIGNATURE-----

--NHBbLboAnfNiJilJHEDhm9VMCsLtOGhU6--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5346F98D.6030102>