From owner-freebsd-stable@FreeBSD.ORG Tue Jul 6 08:00:48 2004 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 77E9E16A4CE for ; Tue, 6 Jul 2004 08:00:48 +0000 (GMT) Received: from smtp.owt.com (smtp.owt.com [204.118.6.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id 27B3743D2F for ; Tue, 6 Jul 2004 08:00:48 +0000 (GMT) (envelope-from kstewart@owt.com) Received: from [207.41.94.233] (owt-207-41-94-233.owt.com [207.41.94.233]) by smtp.owt.com (8.12.8/8.12.8) with ESMTP id i66806H5026963 for ; Tue, 6 Jul 2004 01:00:09 -0700 From: Kent Stewart To: freebsd-stable@freebsd.org Date: Tue, 6 Jul 2004 01:00:44 -0700 User-Agent: KMail/1.6.2 References: <200407060633.i666XuiP077911@app.auscert.org.au> <200407060035.05334.kstewart@owt.com> In-Reply-To: <200407060035.05334.kstewart@owt.com> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200407060100.44096.kstewart@owt.com> Subject: Re: apache port broken for 4.10 RELEASE? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jul 2004 08:00:48 -0000 On Tuesday 06 July 2004 12:35 am, Kent Stewart wrote: > On Monday 05 July 2004 11:33 pm, freebsd-stable@auscert.org.au wrote: > > Thanks Kent (and Phil and Udo). > > > > I have a couple of questions though. > > > > If 2.0.49 apache is broken in 4.10 release (install +ports), why do > > the MD5 sums exist in distinfo for this particular version at all > > (rather than just a simple "not supported for this release" error) > > Well, you are some what expected to follow the port tree. Ports in > the releases get old quickly. A port that is used as much as Apache > is will never stay broken for long. You need to look at http://www.freebsd.org/cgi/cvsweb.cgi/ports/www/apache2/Makefile There have been security problems fixed in Apache that will never be added to a stock release. If you follow the port system using cvsup of ports-all, there are tools to tell you that ports on your system are out of date and need to be updated to include those security fixes. It is a two edged sword because not all updates are security related and the tools will want to update the ports that have new releases.Some of them involved changing the interface in libraries and continuing to use new libraries with old codes can produce the typical off by 1 problems that make your system vulnerable. Kent -- Kent Stewart Richland, WA http://users.owt.com/kstewart/index.html