Date: Sun, 10 Oct 2004 16:20:27 -0500 From: Jon Noack <noackjr@alumni.rice.edu> To: Dick Davies <rasputnik@hellooperator.net> Cc: FreeBSD Current <freebsd-current@freebsd.org> Subject: Re: ports freeze and portaudit alerts Message-ID: <4169A79B.7090009@alumni.rice.edu> In-Reply-To: <20041010204308.GA29900@lb.tenfour> References: <20041010204308.GA29900@lb.tenfour>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10/10/04 15:43, Dick Davies wrote: > I've recently returned to FreeBSD from a tour around various other free > OSes - last time I used it seriously was around 4.7, I think, and 5.3 seems > to be light years ahead functionality wise. So first off, congratulations. Glad to have you back ;-). > But I'm a little alarmed by the pre 5.3 release ports freeze - portaudit has > flagged an awful lot of packages as having holes and refused to install them. > > Off the top of my head : mozilla, cups (and therefore most of kde) and > firefox/bird. Shouldn't serious bugs (like the JPEG vuln > in firefox for example) to override the freeze? The Mozilla/Firefox ports have been updated with patches to resolve the security issues. See the latest commits for more info: http://www.freshports.org/www/mozilla http://www.freshports.org/www/firefox It seems the real issue for Mozilla/Firefox is that the VuXML document was not updated to reflect the patches being applied to the older versions (see http://www.vuxml.org/freebsd/index.html). Usually the versioning for the VuXML document is done with the assumption that issues will be resolved by updating to the latest version available from the vendor. Under a ports freeze this assumption is not correct. I've CC'ed nectar@ for this reason. Once this document is updated then portaudit will no longer flag them. The CUPS port still has not been updated to resolve its "print queue browser denial-of-service" issue. However, there is a PR from the maintainer to update to the latest, "safe" version: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/71811 > I just wondered if there is a policy to not upgrade ports under any > circumstances, or if this is just an oversight? I can imagine this would make > me very twitchy if I was running production boxes during a freeze.... > or have I missed something, and this doesn't affect 4.* users? Updates for security issues generally happen very promptly during ports freezes. I think these cases are just oversight, either in the reporting of updates (Mozilla/Firefox) or the actual updating itself (CUPS). Jon
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4169A79B.7090009>