From owner-freebsd-security@FreeBSD.ORG Mon May 22 09:40:18 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 565AE16A420; Mon, 22 May 2006 09:40:18 +0000 (UTC) (envelope-from MH@kernel32.de) Received: from crivens.terrorteam.de (crivens.terrorteam.de [81.169.171.191]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7F5E643D45; Mon, 22 May 2006 09:40:17 +0000 (GMT) (envelope-from MH@kernel32.de) Received: from localhost (localhost [127.0.0.1]) by crivens.terrorteam.de (Postfix) with ESMTP id 2E7244018; Mon, 22 May 2006 11:40:16 +0200 (CEST) X-Virus-Scanned: amavisd-new at unixoid.de Received: from crivens.terrorteam.de ([127.0.0.1]) by localhost (crivens.unixoid.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id prfcLaPDEUtc; Mon, 22 May 2006 11:40:15 +0200 (CEST) Received: from [10.38.0.12] (unknown [213.238.63.253]) by crivens.terrorteam.de (Postfix) with ESMTP id 607F63F99; Mon, 22 May 2006 11:40:15 +0200 (CEST) Message-ID: <44718700.2060102@kernel32.de> Date: Mon, 22 May 2006 11:40:16 +0200 From: Marian Hettwer User-Agent: Mozilla Thunderbird 1.0.2 (Macintosh/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Scott Long References: <4471361B.5060208@freebsd.org> <20060521231657.O6063@abigail.angeltread.org> <44714FBB.4000603@samsco.org> In-Reply-To: <44714FBB.4000603@samsco.org> X-Enigmail-Version: 0.93.0.0 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit Cc: freebsd security , FreeBSD Stable , Colin Percival , Brent Casavant Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 May 2006 09:40:18 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi there, Scott Long wrote: > Brent Casavant wrote: > >> While I find ports to be the single most useful feature of the FreeBSD >> experience, and can't thank contributors enough for the efforts, I on >> the other hand find updating my installed ports collection (for security >> reasons or otherwise) to be quite painful. I typically use portupgrade >> to perform this task. On several occasions I got "bit" by doing a >> portupgrade which wasn't able to completely upgrade all dependencies >> (particularly when X, GUI's, and desktops are in the mix -- though I >> always follow the special Gnome upgrade methods when appropriate). >> Like Scott pointed out below, stick with either building from source, or using packages. Mixing them may have strange side effects. To give an example. I usually use portupgrade without using packages. But last time I needed to update my ports (on a production server, though private not corporate server), I used portupgrade -P (to use packages if available). It updated php, using packages, but unluckily the packages were built against apache13. I'm using apache20, so my php installation was trashed. Argh. But even more painful is the fact that portupgrade _always_ fails on some perl modules. Usually p5-XML-Parser. I don't know why, but it's annoying... > ports tree in the process, the end result is a bit more undefined. One > thing that I wish for is that the ports tree would branch for releases, > and that those branches would get security updates. I know that this > would involve an exponentially larger amount of effort from the ports > team, and I don't fault them for not doing it. Still, it would be nice > to have. I have to agree on that statement. I would love to see branched ports. This can get very important on servers, were you don't want to have major upgrades, but only security updates. I guess it's a question of manpower, hm? Would a survey help? As in ask the ports team and FreeBSD administrators? Maybe some will start to become port maintainer too, just to support the increased work on ports due to branching them... I would :) best regards, Marian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFEcYb+gAq87Uq5FMsRAvAeAKDY0wCnps8sNKkRqUL0+77/WEh/GgCfayuU /PH2TCKdBC7l9M6TrgY+rZM= =hbzY -----END PGP SIGNATURE-----