From owner-freebsd-pkg@FreeBSD.ORG Mon Oct 20 04:30:03 2014 Return-Path: Delivered-To: freebsd-pkg@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 17EF46B8 for ; Mon, 20 Oct 2014 04:30:03 +0000 (UTC) Received: from forward3m.mail.yandex.net (forward3m.mail.yandex.net [IPv6:2a02:6b8:0:2519::3:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Certum Level IV CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C0B37649 for ; Mon, 20 Oct 2014 04:30:02 +0000 (UTC) Received: from web13m.yandex.ru (web13m.yandex.ru [37.140.138.104]) by forward3m.mail.yandex.net (Yandex) with ESMTP id 33E276B610FD for ; Mon, 20 Oct 2014 08:29:43 +0400 (MSK) Received: from 127.0.0.1 (localhost [127.0.0.1]) by web13m.yandex.ru (Yandex) with ESMTP id 903471761145; Mon, 20 Oct 2014 08:29:41 +0400 (MSK) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.com; s=mail; t=1413779381; bh=NY0+R9J98+4HdGUxFeCaD/6ozWhfJbxnQxyqsNRWa5w=; h=From:To:Subject:Date; b=eCb4kpr2tum3dTehSrZgX8EFoH+/ttQjKrLD3pWKOcvZeM1wVZhvCv4MlC2UTC/Dk 41pPHmG+08l7wbRP4v7aCTvce3Mh1YTLw+5E3/2Xexm4tLgFuTpi/N52F5NT5fOwPF oeHjYp9coBN5MLXX/TxTaFKTQczK08Y+xSHRQyLY= Received: from tsn46-166-168-243.dyn.nltelcom.net (tsn46-166-168-243.dyn.nltelcom.net [46.166.186.243]) by web13m.yandex.ru with HTTP; Mon, 20 Oct 2014 08:29:39 +0400 From: Martin Hanson To: "freebsd-pkg@freebsd.org" Subject: We need much better security updates for packages MIME-Version: 1.0 Message-Id: <821921413779379@web13m.yandex.ru> X-Mailer: Yamail [ http://yandex.ru ] 5.0 Date: Mon, 20 Oct 2014 06:29:39 +0200 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-BeenThere: freebsd-pkg@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Binary package management and package tools discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Oct 2014 04:30:03 -0000 Hi This is a suggestion. If "pkg" is going to be any good, meaning as a real replacement for always compiling from ports, I think it is really important that we move away from a fixed weekly build when important security upgrades are pending. We cannot wait week or more for the official repos when an important security upgrade is pending. Sure for some small packages it is no problem compiling them from ports, but that really beats the whole purpose of "pkg". Working also with Debian I believe we could perhaps "adopt" some of the ways they deal with these issues. I am not sure how it works at FreeBSD, but I suggest making some kind of security package build team that, when an important security upgrades arises, quickly upgrades the relevant packages. Or this could even be automatized perhaps? Kind regards.