Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 20 Apr 2017 10:24:49 +0800
From:      Julian Elischer <julian@freebsd.org>
To:        Dewayne Geraghty <dewaynegeraghty@gmail.com>, scratch65535@att.net
Cc:        freebsd-ports <ports@freebsd.org>
Subject:   Re: Is pkg quarterly really needed?
Message-ID:  <c4a521cc-5a3a-149b-e9a2-02c6bf3dcfa0@freebsd.org>
In-Reply-To: <CAGnMC6oMNbJA1hOXUX99owDhnP%2Br4p1-6x3dca_N_PL_RL_7AA@mail.gmail.com>
References:  <58F61A8D.1030309@a1poweruser.com> <CALfReyctL3vTt756oyh1ZTf%2BkgpAOHwp_SUZQCFQiZDccFNMow@mail.gmail.com> <ljhffcphq3bqr8dk2lrlld11ola28b7gqp@4ax.com> <CAGnMC6oMNbJA1hOXUX99owDhnP%2Br4p1-6x3dca_N_PL_RL_7AA@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On 20/4/17 6:29 am, Dewayne Geraghty wrote:
> Scratch65535, I think your best solution is to use latest and upgrade when
> you need to.  Unlike Freddie's comment re only desktop users using latest.
> I ONLY upgrade my local svn of ports when there's a vulnerability or
> significant (for users) functional improvement of a port.
>
> It is a labour intensive exercise, monitoring CVE's for all
> externally-facing applications.
>
> Its a nice idea having a snapshot of ports, from the perspective of
> consistency, but that model doesnt suite our risk appetite on multiple
> levels; and in our view back-porting fixes to a quarterly snapshot - a good
> idea from a security perspective it is a really bad idea from a
> consistency/administrative/audit perspective.

We mirror the ports tree (and base) into p4 and also as svn, and use 
this to check out the head branch to whatever release we need.
Our scripts are capable of checking out a particular port at a 
(slightly) different rev to the default rev used for the rest, as 
sometimes we find we need a slightly newer rev of one port or 
another.  This sometimes doesn't work if there are framework changes 
that affect the port but mostly we find that it's ok if you just want 
to bump a port up a small amount to catch a bugfix,or take it back a 
bit to avoid a regression. We also do sparse checkouts of the ports 
tree ot save time, but that's another issue..

We therefore have all out pkgs (which we store with each release) at 
the same level of source tree so they all match.

>
> How the ports infrastructure can meet many conflicting objectives is
> something that we (the consumers of the ports service) must decide for our
> circumstance.  The use-the-latest paradigm suits individuals that manage
> their individual machine, but when you manage multiple clients' servers,
> the requirements are different (try meeting a SAS70-II/SAE16-SOC2, ISO27001
> SOA, NIST 800-53r5, etc)
>
> On a non-audit level, Microsoft might hold to monthly updates/fixes ("patch
> Tuesday") but bad guys don't.
> Regards, Dewayne.
> _______________________________________________
> freebsd-ports@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-ports
> To unsubscribe, send any mail to "freebsd-ports-unsubscribe@freebsd.org"
>




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?c4a521cc-5a3a-149b-e9a2-02c6bf3dcfa0>