From owner-freebsd-current@FreeBSD.ORG Sun Oct 10 21:20:31 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4A50D16A4CF for ; Sun, 10 Oct 2004 21:20:31 +0000 (GMT) Received: from smtp003.bizmail.yahoo.com (smtp003.bizmail.yahoo.com [216.136.130.195]) by mx1.FreeBSD.org (Postfix) with SMTP id 235EE43D39 for ; Sun, 10 Oct 2004 21:20:31 +0000 (GMT) (envelope-from noackjr@alumni.rice.edu) Received: from unknown (HELO optimator.noacks.org) (noackjr@supercrime.org@70.240.240.189 with login) by smtp003.bizmail.yahoo.com with SMTP; 10 Oct 2004 21:20:30 -0000 Received: from localhost (localhost [127.0.0.1]) by optimator.noacks.org (Postfix) with ESMTP id D0FDC61E4; Sun, 10 Oct 2004 16:20:29 -0500 (CDT) Received: from optimator.noacks.org ([127.0.0.1]) by localhost (optimator.noacks.org [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 05794-09; Sun, 10 Oct 2004 16:20:28 -0500 (CDT) Received: from compgeek.noacks.org (compgeek [192.168.1.10]) by optimator.noacks.org (Postfix) with ESMTP id 5A71861B2; Sun, 10 Oct 2004 16:20:28 -0500 (CDT) Received: from [127.0.0.1] (localhost [127.0.0.1]) by compgeek.noacks.org (8.13.1/8.13.1) with ESMTP id i9ALKRYg039674; Sun, 10 Oct 2004 16:20:28 -0500 (CDT) (envelope-from noackjr@alumni.rice.edu) Message-ID: <4169A79B.7090009@alumni.rice.edu> Date: Sun, 10 Oct 2004 16:20:27 -0500 From: Jon Noack User-Agent: Mozilla Thunderbird 0.7.3 (X11/20040930) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Dick Davies References: <20041010204308.GA29900@lb.tenfour> In-Reply-To: <20041010204308.GA29900@lb.tenfour> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at noacks.org cc: nectar@freebsd.org cc: FreeBSD Current Subject: Re: ports freeze and portaudit alerts X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: noackjr@alumni.rice.edu List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Oct 2004 21:20:31 -0000 On 10/10/04 15:43, Dick Davies wrote: > I've recently returned to FreeBSD from a tour around various other free > OSes - last time I used it seriously was around 4.7, I think, and 5.3 seems > to be light years ahead functionality wise. So first off, congratulations. Glad to have you back ;-). > But I'm a little alarmed by the pre 5.3 release ports freeze - portaudit has > flagged an awful lot of packages as having holes and refused to install them. > > Off the top of my head : mozilla, cups (and therefore most of kde) and > firefox/bird. Shouldn't serious bugs (like the JPEG vuln > in firefox for example) to override the freeze? The Mozilla/Firefox ports have been updated with patches to resolve the security issues. See the latest commits for more info: http://www.freshports.org/www/mozilla http://www.freshports.org/www/firefox It seems the real issue for Mozilla/Firefox is that the VuXML document was not updated to reflect the patches being applied to the older versions (see http://www.vuxml.org/freebsd/index.html). Usually the versioning for the VuXML document is done with the assumption that issues will be resolved by updating to the latest version available from the vendor. Under a ports freeze this assumption is not correct. I've CC'ed nectar@ for this reason. Once this document is updated then portaudit will no longer flag them. The CUPS port still has not been updated to resolve its "print queue browser denial-of-service" issue. However, there is a PR from the maintainer to update to the latest, "safe" version: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/71811 > I just wondered if there is a policy to not upgrade ports under any > circumstances, or if this is just an oversight? I can imagine this would make > me very twitchy if I was running production boxes during a freeze.... > or have I missed something, and this doesn't affect 4.* users? Updates for security issues generally happen very promptly during ports freezes. I think these cases are just oversight, either in the reporting of updates (Mozilla/Firefox) or the actual updating itself (CUPS). Jon