From owner-freebsd-stable@FreeBSD.ORG Tue Dec 20 12:26:54 2005 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E576816A41F for ; Tue, 20 Dec 2005 12:26:54 +0000 (GMT) (envelope-from rihad@mail.ru) Received: from mx3.mail.ru (mx3.mail.ru [194.67.23.149]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7438043D45 for ; Tue, 20 Dec 2005 12:26:54 +0000 (GMT) (envelope-from rihad@mail.ru) Received: from [62.212.229.11] (port=16610 helo=[62.212.229.11]) by mx3.mail.ru with esmtp id 1EogZr-0002IW-00; Tue, 20 Dec 2005 15:26:47 +0300 Message-ID: <43A7F875.4010903@mail.ru> Date: Tue, 20 Dec 2005 16:26:29 +0400 From: rihad User-Agent: Debian Thunderbird 1.0.2 (X11/20051002) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Marwan Burelle References: <43A7A3F7.7060500@mail.ru> <20051220083913.GA505@kierun.org> <43A7DA65.1020801@mail.ru> <20051220110315.GA66112@melkor.kh405.net> In-Reply-To: <20051220110315.GA66112@melkor.kh405.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-stable@freebsd.org Subject: Re: ports security branch X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Dec 2005 12:26:55 -0000 Marwan Burelle wrote: > On Tue, Dec 20, 2005 at 02:18:13PM +0400, rihad wrote: > >>A very interesting script for its own purpose, but I'm afraid this >>doesn't answer my question at all. Perhaps seeing the way that e.g. >>Debian deals with the upgrade problem might shed some light on the >>issue. Hell, FreeBSD does exactly that for the base world+kernel, too! >>Not for the ports, though. > > > The "debian way" is too have a frozen tree and restraint updates, this > induces at least a two level maintaining, one that follows > "on-the-edge" updates and the other that only follow security > updates. The problem is that most applications don't work like that, > they don't maintain two branches, and thus you need (or the maintainer > of the ports needs) to maintain a bunch of security patches for that > app that doesn't have any dependance links (or at least only to other > security updates ... ) > > This is a lot of work, and IMHO that's why debian stable is so often > outdated (and some time completely obsolete.) This also raises > questions like "when should we move to the next/last release ?", > "Is that patch-set too important ?" ... > > My own experience shows me that most of the time when you only need > security updates, that means that your boxe is "specialized" in some > way with a small set of installed ports and thus every updates in the > tree for those ports are relevant. Otherwise, you may want to have up > to date ports because it's providing you with shiny new features ;) > I think Debian does an excellent job of taking the common load off of the shoulders of its users by providing security package updates with no changes in functionality wherever possible. Change in software functionality, configs, dependencies etc. almost always hurts, that's what Debian are trying to save its users from. Imagine: Foo 1.2.3 that was current at the time of FreeBSD 6.0 release gets a severe vuln after some time. Some admins upgrade to the latest and greatest Foo 1.2.9, others to Foo 1.2.7 (probably with not recently updated ports tree)... Still with me? Factoring this security upgrade path in the OS so that all users get the same fix and functionality is a very hard thing to do and maintain, I'd guess. FreeBSD's "latest and greatest" attitude is very relevant for desktop users and such. I think it would be even better to make security-conscious server admins' lives even better. Put up a box, forget about it, do a major upgrade in a year. Oversimplifying here...