From owner-freebsd-security@FreeBSD.ORG Fri Sep 26 19:55:11 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8F88558F for ; Fri, 26 Sep 2014 19:55:11 +0000 (UTC) Received: from new1-smtp.messagingengine.com (new1-smtp.messagingengine.com [66.111.4.221]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5CE47D0E for ; Fri, 26 Sep 2014 19:55:11 +0000 (UTC) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by gateway2.nyi.internal (Postfix) with ESMTP id F211B36EA for ; Fri, 26 Sep 2014 15:55:03 -0400 (EDT) Received: from web6 ([10.202.2.216]) by compute1.internal (MEProxy); Fri, 26 Sep 2014 15:55:03 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:x-sasl-enc:from:to :mime-version:content-transfer-encoding:content-type:in-reply-to :references:subject:date; s=smtpout; bh=yeLS9co9gUBCogaetNvT7th0 RBE=; b=jYZzA4458dzv3WW3zOcuYq2OoKPnzdMp21mMXfe3ukWx7TXsG2JIOH0L y7yWH5FhQhxF/ONhU86F0NFAzLzbfgLZ1loerdMLxAP8l5jqw9K+kZAgN9hbfkhL uLwH0wv4ktnCnt1zjQXNTQRA4N16Rzkwck2La7qZITj+eSKnp0M= Received: by web6.nyi.internal (Postfix, from userid 99) id A7D65587DC; Fri, 26 Sep 2014 15:55:03 -0400 (EDT) Message-Id: <1411761303.37126.172207289.07A402AF@webmail.messagingengine.com> X-Sasl-Enc: lsv0B7PcePd0MT+izuWnztzLZC6caZ8jtTlJ8ir5IYj+ 1411761303 From: Mark Felder To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-cad53418 In-Reply-To: References: <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> <20140925193555.GB28430@satori.lan> <20140926123803.GA30925@zxy.spb.ru> Subject: Re: pkg repositories out of alignment (was: Re: bash velnerability) Date: Fri, 26 Sep 2014 14:55:03 -0500 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Sep 2014 19:55:11 -0000 On Fri, Sep 26, 2014, at 10:25, Paul Hoffman wrote: > > I appreciate the speed that folks update the packages; I'm a bit > distressed that 9.3 seems to be a second-class citizen for security > fixes. (And I totally admit that I could be misreading the situation.) > (speaking strictly as a consumer of the pkg repository) I am not aware of any other packages with security vulnerabilities that have been updated on the repository outside of the planned once-a-week schedule. This means if the package set is built and published and immediately thereafter a vulnerability comes out for www/chromium, don't expect to see the update until next week. There is a desire to solve this problem and it is not simple solution. Keep in mind that the ports tree existed for 20 years now expecting people to consume it from source, not from packages. I've witnessed the ports team and ports-mgmt/pkg authors perform miracles over the last 2 years and they have further plans to modernize the architecture. FYI, the repositories are built sequentially and I don't think there's a preference of a certain release over another. They're working hard to get these updated packages out the door as fast as possible.