From owner-freebsd-stable@FreeBSD.ORG Wed Dec 21 18:46:38 2005 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 528A616A420 for ; Wed, 21 Dec 2005 18:46:38 +0000 (GMT) (envelope-from rihad@mail.ru) Received: from mx3.mail.ru (mx3.mail.ru [194.67.23.149]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1AEC443D9B for ; Wed, 21 Dec 2005 18:46:32 +0000 (GMT) (envelope-from rihad@mail.ru) Received: from [62.212.229.11] (port=30370 helo=[62.212.229.11]) by mx3.mail.ru with esmtp id 1Ep8yr-0003my-00; Wed, 21 Dec 2005 21:46:29 +0300 Message-ID: <43A9A308.9000005@mail.ru> Date: Wed, 21 Dec 2005 22:46:32 +0400 From: rihad User-Agent: Debian Thunderbird 1.0.2 (X11/20051002) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd.stable@melvyn.homeunix.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-stable@freebsd.org Subject: Re: ports security branch X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Dec 2005 18:46:38 -0000 >>Imagine: Foo 1.2.3 that >>> was current at the time of FreeBSD 6.0 release gets a severe vuln after >>> some time. Some admins upgrade to the latest and greatest Foo 1.2.9, >>> others to Foo 1.2.7 (probably with not recently updated ports tree)... > > > If 1.2.7 is secure, there is no problem. If 1.2.7 is not, portaudit will not > let you upgrade. It seems to me, you need to farmiliarize yourself first with > the mechanisms in place already, before shooting it. Scrolling a couple of pages backwards, you suddenly realize that it was I who first mentioned the role of portaudit in maintaining the security info in this "thread". Nevermind. There _might_ be a problem if one always upgrades to a newer release, this way or another, right on the production machine. The whole point of security updates is making users' lives easier. You upgrade, you want the software-OS bundle to behave, feel and touch _exactly_ the same way it did before. Once again, FreeBSD already _does_ that to the base system.