From owner-freebsd-stable@FreeBSD.ORG Tue Dec 20 10:44:05 2005 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 12AE116A420 for ; Tue, 20 Dec 2005 10:44:05 +0000 (GMT) (envelope-from freebsd.stable@melvyn.homeunix.org) Received: from sarevok.lan.melvyn.homeunix.org (i153153.upc-i.chello.nl [62.195.153.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 588BD43D75 for ; Tue, 20 Dec 2005 10:43:59 +0000 (GMT) (envelope-from freebsd.stable@melvyn.homeunix.org) Received: by sarevok.lan.melvyn.homeunix.org (Postfix, from userid 100) id 8EDF511454; Tue, 20 Dec 2005 11:43:56 +0100 (CET) From: Melvyn Sopacua To: freebsd-stable@freebsd.org Date: Tue, 20 Dec 2005 11:43:55 +0100 User-Agent: KMail/1.8.3 References: <43A7A3F7.7060500@mail.ru> <20051220083913.GA505@kierun.org> <43A7DA65.1020801@mail.ru> In-Reply-To: <43A7DA65.1020801@mail.ru> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200512201143.55965.freebsd.stable@melvyn.homeunix.org> Subject: Re: ports security branch X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Dec 2005 10:44:05 -0000 On Tuesday 20 December 2005 11:18, rihad wrote: > Yann Golanski wrote: > > Quoth rihad on Tue, Dec 20, 2005 at 10:25:59 +0400 > > > >>Is there a security branch for the FreeBSD ports collection? Let's say, > >>I installed FreeBSD 6.0 together with all needed -RELEASE ports/packages > >>(i.e., those on the CD). Running security/portaudit after a while > >>reveals that some of the installed packages have vulnerabilities. Am I > >>on my own to go grab the fresh ports tree, and upgrade the affected > >>software, suffering all the intricacies of the move by myself? Debian > >>GNU/Linux has its security package updates, OpenBSD has a separately > >>maintained "errata" ports branch (it's very likely you still get to > >>download a newer release of the software, though). > > > > Attached is a script I use to update my machines. It works fine but > > you need to understand what it does and not run it blindly. DO NOT put > > that in cron, there lies pain! > > > > Otherwise, just run the script and it will update all your ports for > > you. It'll even mail you with the updated ports. > > [script snipped] > > A very interesting script for its own purpose, but I'm afraid this > doesn't answer my question at all. FreeBSD accepts limited responsibility for what is in /usr/ports. Maintaining security is not one of them. > Perhaps seeing the way that e.g. > Debian deals with the upgrade problem might shed some light on the > issue. Hell, FreeBSD does exactly that for the base world+kernel, too! > Not for the ports, though. See above. Instead of focusing on the method, focus on the end-goal: you want security updates on your ports and the script posted attempts to provide that. I had one that was safe to run in cron (in fact it ran in periodic/daily), but uses a cvs tree of ports, not cvsup to save time[1]. I lost it with a disk crash, but was going to recreate it anyway, might as well do it now if people are interested. [1] cvsup allthough faster on the entire tree cannot update a single directory. -- Melvyn Sopacua freebsd.stable@melvyn.homeunix.org FreeBSD 6.0-STABLE Qt: 3.3.5 KDE: 3.4.3