From owner-freebsd-stable@FreeBSD.ORG Sun Jun 13 08:50:02 2004 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BD05316A4CE for ; Sun, 13 Jun 2004 08:50:02 +0000 (GMT) Received: from mail08.svc.cra.dublin.eircom.net (mail08.svc.cra.dublin.eircom.net [159.134.118.24]) by mx1.FreeBSD.org (Postfix) with SMTP id 1FD3643D41 for ; Sun, 13 Jun 2004 08:50:02 +0000 (GMT) (envelope-from steve@sohara.org) Received: (qmail 63407 messnum 2613235 invoked from network[159.134.255.127/159-134-255-127.as1.nas.naas.eircom.net]); 13 Jun 2004 08:42:28 -0000 Received: from 159-134-255-127.as1.nas.naas.eircom.net (HELO localhost) (159.134.255.127) by mail08.svc.cra.dublin.eircom.net (qp 63407) with SMTP; 13 Jun 2004 08:42:28 -0000 Date: Sun, 13 Jun 2004 09:42:26 +0100 From: Steve O'Hara-Smith To: Haim Ashkenazi Message-Id: <20040613094226.3ed54c60.steve@sohara.org> In-Reply-To: References: <40CB2BC2.4070201@mac.com> X-Mailer: Sylpheed version 0.9.11 (GTK+ 1.2.10; i386-portbld-freebsd4.10) X-Face: %]+HVL}K`P8>+8ZcY-WGHP6j@&mxMo9JH6_WdgIgUGH)JX/usO0%jy7T~IVgqjumD^OBqX,Kv^-GM6mlw(fI^$"QRKyZ$?xx/ Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: freebsd-stable@freebsd.org Subject: Re: keeping my freebsd secure... X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Jun 2004 08:50:02 -0000 On Sun, 13 Jun 2004 03:02:52 +0300 Haim Ashkenazi wrote: HA> this is another thing I'm confused about. if I stay with RELENG_4_10, HA> would I get security updates? does this also affect the ports? If you stay with RELENG_4_10 you will get *only* security updates to the base system. Upgrading the base system does nothing at all to the ports which are maintained separately and not branched. To upgrade the ports you have to update your ports tree (with cvsup) and use portupgrade or do it by hand which is no fun at all. There is no way of getting only security changes for the ports, mainly because the ports are really only canned build/install instructions for third party applications most of which do not separate security changes from feature changes and bug fixes. It would be nice if there were a set of tested reliable and secure open source applications available, maintaining such a set would be a major project in its own right. It would probably need a shadow CVS (or similar) repository for each application and enough skilled people to audit and test each and every change against an ever growing regression and security test suite. Such an effort would most likely lag behind the main development badly and/or generate forks. The alternative, and current practice, is to depend on the main development teams of each application to do the best they can and track their releases. -- C:>WIN | Solar Thermal Systems The computer obeys and wins. | http://www.soleire.com/ You lose and Bill collects. | Directable Mirror Arrays | http://www.sohara.org/