Date: Fri, 22 Oct 2004 17:01:30 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Randall Foster <threeknucklesdeep@hotmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: interim port versions Message-ID: <20041022160130.GB88362@happy-idiot-talk.infracaninophile.co.uk> In-Reply-To: <BAY8-F48B1ndcx3Vp2000005757@hotmail.com> References: <BAY8-F48B1ndcx3Vp2000005757@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--JYK4vJDZwFMowpUq Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Oct 22, 2004 at 06:50:13AM -0700, Randall Foster wrote: > I'm new to the bsd's, came from linux and i'm having a bit of difficulty > figuring out the general philosophy. >=20 > One of the major reasons that i decided to try out the 'bsds' is > because of the security. I'm having a hard time however figuring out > how security issues in the ports get dealt with when there is a port > freeze, like now. The best example i can think of is gaim...(i almost > didn't recheck the port on the 4.10 tree, it's now mysteriously up to > date, phew.) The ports freeze is over now, and has been for about the past fortnight. Even if there's a ports freeze on, a security bugfix is one of the class of things that portmgr will generally permit committal of -- for instance there were a whole row of fixes that went into Mozilla and allied ports during the last freeze. Note also that development on the ports tree is not branched -- ie. there isn't a special version of the ports tree to match each available version of the OS. Despite the impression to the contrary that having the per-release pre compiled packages available from the archives gives. If you're using ports, for best results, you should be regularly using cvsup(1) to synch with the latest state of the ports tree, and you should probably be regularly updating your installed ports to the latest versions by using portupgrade(1) or otherwise. Similarly if you're using pre-compiled packages (which you can mix freely with ports from the tree, so long as the dependencies all still match) -- except that the pre-compiled packages don't get updated as quickly as the ports tree in general. =20 > ......slightly altered next paragraph.... > lets say i found out there is a msn slp buffer overflow (like currently) > and i wanted to protect myself....so i cvsuped my ports tree and then > wanted to portupgrade....... problem is...since it's a port freeze...up > until a few days ago it's still at 0.82 not the 1.02 that is out now, I > watched it and never saw version 1.00 or 1.01. Are the ports frozen > _except_for_security_fixes or am i missing something. You are missing something. Security fixes will be applied.=20 =20 > I looked around on the lists for this but didn't see it and it seems > like a fairly big deal if security issues arise during a freeze. In order to be notified of any known security problems in the ports you have installed, install the security/portaudit port. You'll get a report of any problems added to your daily e-mail. In addition to that, use http://vuxml.freebsd.org/ for all of the known security issues with the ports over the last 20-odd months (since the VuXML database was created). Also check out http://beta.freshports.org/ which will show you any issues known to affect any particular version of a port. Use the watchlist feature to receive notification of updates to any ports you're interested in. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --JYK4vJDZwFMowpUq Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBeS7aiD657aJF7eIRAl+DAJ4+uQqPy0AEku3Pp3Oe+P1L9YHXsACgsDOj XgOfK5uzyYdT2DfZYyMD/4E= =YSSo -----END PGP SIGNATURE----- --JYK4vJDZwFMowpUq--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041022160130.GB88362>
