From owner-freebsd-stable@FreeBSD.ORG Thu Jan 24 16:17:38 2013 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 764A5E78; Thu, 24 Jan 2013 16:17:38 +0000 (UTC) (envelope-from utisoft@gmail.com) Received: from mail-ia0-x230.google.com (ia-in-x0230.1e100.net [IPv6:2607:f8b0:4001:c02::230]) by mx1.freebsd.org (Postfix) with ESMTP id 3926A2B9; Thu, 24 Jan 2013 16:17:38 +0000 (UTC) Received: by mail-ia0-f176.google.com with SMTP id i18so5043655iac.21 for ; Thu, 24 Jan 2013 08:17:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=zm8ujmNheBURCGVI9qpfyUSy1m4W31zLM3wqM0xEH00=; b=MrhEiRSWZq6n//CxnceMumUylahpC4PUVh5ifG4ZWM5QPt2FVmX3DO6XCcnUcB2Bl/ 260BaMHuho3n+fQE1sVDGvET+6fWTEKkGs53nFsDLupPXYgpScVtPXvTM066/q9iDvXi Y/Dfno/OYd0t74hBvb3oOL4VZnb4zLYf+Qt+RIqWuRXseDwl/3S093tvHmiMLgaKeeIq BiOMaXcXpFm6r9wuoMr5ECNNwvBKcub6daYZ50LB66Hdkf/Wdtn/0aM/nw4/ujiBwp/Y /ppEOLWe0JP/dkdeJTyv4VjngN3uToCzwVxYZDmqXhS3rprt2PoObXJddg/HKAtfJd1N Io2Q== MIME-Version: 1.0 X-Received: by 10.50.178.10 with SMTP id cu10mr1835182igc.75.1359044257804; Thu, 24 Jan 2013 08:17:37 -0800 (PST) Received: by 10.64.16.73 with HTTP; Thu, 24 Jan 2013 08:17:37 -0800 (PST) Received: by 10.64.16.73 with HTTP; Thu, 24 Jan 2013 08:17:37 -0800 (PST) In-Reply-To: <20130123215531.GA13217@icarus.home.lan> References: <20130123215531.GA13217@icarus.home.lan> Date: Thu, 24 Jan 2013 16:17:37 +0000 Message-ID: Subject: Re: svn - but smaller? From: Chris Rees To: Jeremy Chadwick Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: Chris Rees , FreeBSD X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jan 2013 16:17:38 -0000 On 23 Jan 2013 21:55, "Jeremy Chadwick" wrote: > > (Please keep me CC'd as I'm not subscribed to the list) > > > Great idea; > > > > http://www.bayofrum.net/~crees/patches/svn-static.diff > > > > Lev, do you mind if I commit this? I haven't touched the subversion > > port, but it'll have you as maintainer :) > > > > If you prefer, I don't mind maintaining this. > > As I understand it this patch would induce the build cluster to build > subversion-static.tbz (eventually) and put it on the package servers. > > So what happens when one of the underlying dependencies that you've > included statically (those would possibly be: Oracle/SleepyCat DB, APR, > expat, sqlite3, neon, gettext, and iconv) have security holes or major > bugs found/addressed in them? The package would be updated on the next build, since a dependency changed. > As I understand it -- based on history -- the packages on the FTP > servers get updated "whenever". My other post shows some haven't been > updated in months (and yes I'm aware of the security incident). That's why, so for normal use it's irrelevant. > So how long would a key piece of software containing insecure > statically-linked libraries be on the FTP servers? No longer than any other package. > How would the port maintainer(s) even know the libraries/software which > subversion is dependent upon had been updated, thus requiring a new > subversion package to be pushed out to the package servers ASAP (i.e. > immediately, not days, weeks, or months)? > > My point: ports have always been "best-effort". They are advertised > vehemently throughout "everything FreeBSD" as being third-party software > and therefore . Yet now critical pieces to > FreeBSD development (and now end-users too, as a result of using the > security incident to push SVN) rely upon something in ports. That's > quite a conundrum the Project has created for itself, an ouroboros of > sorts. This is not intended as general use for everyone, it's intended as a shortcut when building a new machine or anything else. I'll put a big warning in pkg message :) Chris