Date: Wed, 27 Aug 2014 13:07:22 +0200 From: Tijl Coosemans <tijl@FreeBSD.org> To: J David <j.david.lists@gmail.com> Cc: freebsd-questions@freebsd.org, freebsd-ports@freebsd.org Subject: Re: Quarterly ports trees not getting security updates? Message-ID: <20140827130722.6ecfb464@kalimero.tijl.coosemans.org> In-Reply-To: <CABXB=RRuPqSoc6CBYLf3MBr68n-w9-0cUaOCrVvhrzvRpNnE3w@mail.gmail.com> References: <CABXB=RRuPqSoc6CBYLf3MBr68n-w9-0cUaOCrVvhrzvRpNnE3w@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 26 Aug 2014 20:15:50 -0400 J David <j.david.lists@gmail.com> wrote: > When the quarterly ports trees were introduced, they were described as > including security, build, and runtime fixes for 3 months. > > This is a great idea, and with 2014Q2 it seemed to work pretty well. > However, it doesn't seem like 2014Q3 is getting security fixes. > > For example, the openssl port has never been updated since branch; > it's still on 1.0.1_13, which has 9 open CVE's against it. Other > ports have similar issues (e.g. serf and subversion). > > What could a non-expert such as myself do to help with this? Is it > just a matter of trying to identify the relevant commits from the head > of the ports tree, or is there more to it? In Q3 a lot of people were on vacation of course, but the main problem I think is that few if any committers are dogfooding the quarterly branches so we are simply not giving enough attention to it. Personally I find 3 months to be too long. I think 1 month would fit people's update schedules better. I tend to update my machines roughly once a month, the FreeBSD cluster machines are updated once a month, there's Microsoft's monthly patch Tuesday, etc. One month is also long enough to introduce major updates at the beginning of the month and have everything working by the end of the month, yet short enough that most updates can wait until the next snapshot and don't have to be merged. And important security fixes will be easier to merge to a one month old ports tree than a 3 month old one.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140827130722.6ecfb464>