Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 11 Jul 2002 01:39:16 -0700
From:      Terry Lambert <tlambert2@mindspring.com>
To:        Rahul Siddharthan <rsidd@online.fr>
Cc:        Alexey Dokuchaev <danfe@regency.nsu.ru>, Cy Schubert - CITS Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>, chat@freebsd.org
Subject:   Re: Package system wishlist
Message-ID:  <3D2D4434.F96E2BD3@mindspring.com>
References:  <20020710210509.GA686@lpt.ens.fr> <3D2CA535.EC11BDA1@mindspring.com> <20020710213619.GA882@lpt.ens.fr> <3D2CBAC4.6AC3CAC9@mindspring.com> <20020710230709.GA1512@lpt.ens.fr> <3D2CC6A9.EB0F7995@mindspring.com> <20020711071255.GA264@lpt.ens.fr>

next in thread | previous in thread | raw e-mail | index | archive | help
Rahul Siddharthan wrote:
> > No, all I'd have to convince them to do is release fixes for the
> > varios packages.  I can install a different OpenSSH in my system,
> > if OpenSSH is just another component.  All I have to care about is
> > binary backward compatability, and that's taken care of by the
> > dependency tracking.
> 
> (a) You're still bitten by major incompatible changes in OpenSSH which
> could screw up your setup (config files etc, as you pointed out).

Depends on how you handle configuration data.

> (b) What about the C library, the toolkit, the rest of the "base" system?
> Would you like those to be packages too?

Yes.

> In that case, I think gentoo linux's "portage" setup is just for you.
> The entire system is a collection of "ports" (or, to use their
> terminology, "ebuilds"), plus the kernel.  I like it, but it's clear
> to me that I wouldn't trust such a thing on a server.  It's for people
> who like the "bleeding edge" and such a terminology as "gentoo 1.2 +
> bugfixes" has no meaning: each component is upgraded separately to the
> point where it becomes gentoo 1.3, etc.

I'm not talking about building, and I'm not talking about mismatching
binaries, except as required for security/bug fixes (I'd rather have
a mismatched OpenSSH than a broken OpenSSH).


> Either you have nondisruptive bugfixes, or you have potentially
> disruptive upgrades.

For an Indian guy, you certainly have that Aristotilian mean of
"IF A THEN NOT B" down for dividing the world into "all A or all B".
;^).


> You can't have guaranteed-nondisruptive upgrades.

Why not?  You're forbidding it?  Forgive me if I "disobey" you...
8-).

> And nondisruptive bugfixes are typically not supplied for
> outdated packages, so eventually you have to upgrade.  In your
> example, you're at the mercy of not only the FreeBSD team but also the
> OpenSSH team.  As of now, at least, we only depend on the FreeBSD
> team.

A bugfix for an "outdated package" is a "non-outdated package", not
"A new version of the outdated package".

We're already "at the mercy" of the third party software suppliers,
as the recent OpenSSH vulnerability demonstrates.

Just because something is a package doesn't remove it from the
FreeBSD source tree, or maintenance by the FreeBSD team.  Things
don't have to live in binary floppy-sized lumps for them to be
under CVS control in the FreeBSD CVS tree.

-- Terry

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-chat" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D2D4434.F96E2BD3>