From owner-freebsd-stable@FreeBSD.ORG Sat Jun 2 10:39:31 2012 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 90108106564A for ; Sat, 2 Jun 2012 10:39:31 +0000 (UTC) (envelope-from theraven@freebsd.org) Received: from theravensnest.org (theraven.freebsd.your.org [216.14.102.27]) by mx1.freebsd.org (Postfix) with ESMTP id 5D8AC8FC1B for ; Sat, 2 Jun 2012 10:39:31 +0000 (UTC) Received: from [192.168.0.2] (cpc11-cwma8-2-0-cust430.7-3.cable.virginmedia.com [82.11.219.175]) (authenticated bits=0) by theravensnest.org (8.14.5/8.14.5) with ESMTP id q52AdLVP026167 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES128-SHA bits=128 verify=NO); Sat, 2 Jun 2012 10:39:22 GMT (envelope-from theraven@freebsd.org) Mime-Version: 1.0 (Apple Message framework v1257) Content-Type: text/plain; charset=us-ascii From: David Chisnall In-Reply-To: <2189681.al9jQ9fsnP@x220.ovitrap.com> Date: Sat, 2 Jun 2012 11:39:16 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <4B0A0556-D035-47F6-8EB9-9D6216FABFBE@freebsd.org> References: <2189681.al9jQ9fsnP@x220.ovitrap.com> To: Erich Dollansky X-Mailer: Apple Mail (2.1257) Cc: freebsd-stable@freebsd.org Subject: Re: Why Are You Using FreeBSD? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Jun 2012 10:39:31 -0000 On 2 Jun 2012, at 03:56, Erich Dollansky wrote: > But I have to mention one disadvantage. The ports are in no way linked = to the releases. This leads to situations in which a small change in a = basic library will result in a complete update of the installed ports. I = expressed this already many time here. It would be of advantage if the = ports tree would also have tags like the base system itself. OpenBSD did this for a while, but they gave up because they weren't = doing it well enough to recommend it and it did more harm to users to do = it badly than not at all. Ideally, you want to get security fixes for all installed applications, = but nothing else, in this model. There are two ways of doing this: - Back-port security fixes to the version shipped with the base system - Import the security-fixed version into the stable set. The second option has the problem that you identified: if the new = version depends on a newer library, then this cascades and you end up = needing to import a new version of hundreds of ports. =20 The first option has a much simpler disadvantage: it requires a huge = amount of manpower. Companies like Red Hat can do this because they = charge their users a lot for this service. We could probably do this if = we had enough users willing to pay for the service, or if we restrict it = to a set of packages that do their own security backports upstream. The problem with the second option can be alleviated if we make it = easier to have multiple versions of libraries installed at the same time = (this is something that the PBI system in PC-BSD does, albeit in an ugly = hackish way that could be improved significantly with a bit of = assistance from rtld). =20 David=