From owner-freebsd-ports@freebsd.org  Thu Apr 20 02:25:07 2017
Return-Path: <owner-freebsd-ports@freebsd.org>
Delivered-To: freebsd-ports@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id B27FCD474AD
 for <freebsd-ports@mailman.ysv.freebsd.org>;
 Thu, 20 Apr 2017 02:25:07 +0000 (UTC)
 (envelope-from julian@freebsd.org)
Received: from mailman.ysv.freebsd.org (unknown [127.0.1.3])
 by mx1.freebsd.org (Postfix) with ESMTP id 9D4C9218
 for <freebsd-ports@freebsd.org>; Thu, 20 Apr 2017 02:25:07 +0000 (UTC)
 (envelope-from julian@freebsd.org)
Received: by mailman.ysv.freebsd.org (Postfix)
 id 9CABFD474AC; Thu, 20 Apr 2017 02:25:07 +0000 (UTC)
Delivered-To: ports@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9C568D474AB
 for <ports@mailman.ysv.freebsd.org>; Thu, 20 Apr 2017 02:25:07 +0000 (UTC)
 (envelope-from julian@freebsd.org)
Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "vps1.elischer.org",
 Issuer "CA Cert Signing Authority" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 60224217
 for <ports@freebsd.org>; Thu, 20 Apr 2017 02:25:06 +0000 (UTC)
 (envelope-from julian@freebsd.org)
Received: from Julian-MBP3.local (58-7-91-98.dyn.iinet.net.au [58.7.91.98])
 (authenticated bits=0)
 by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id v3K2Os8S007787
 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO);
 Wed, 19 Apr 2017 19:24:58 -0700 (PDT)
 (envelope-from julian@freebsd.org)
Subject: Re: Is pkg quarterly really needed?
To: Dewayne Geraghty <dewaynegeraghty@gmail.com>, scratch65535@att.net
References: <58F61A8D.1030309@a1poweruser.com>
 <CALfReyctL3vTt756oyh1ZTf+kgpAOHwp_SUZQCFQiZDccFNMow@mail.gmail.com>
 <ljhffcphq3bqr8dk2lrlld11ola28b7gqp@4ax.com>
 <CAGnMC6oMNbJA1hOXUX99owDhnP+r4p1-6x3dca_N_PL_RL_7AA@mail.gmail.com>
Cc: freebsd-ports <ports@freebsd.org>
From: Julian Elischer <julian@freebsd.org>
Message-ID: <c4a521cc-5a3a-149b-e9a2-02c6bf3dcfa0@freebsd.org>
Date: Thu, 20 Apr 2017 10:24:49 +0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0)
 Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <CAGnMC6oMNbJA1hOXUX99owDhnP+r4p1-6x3dca_N_PL_RL_7AA@mail.gmail.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Apr 2017 02:25:07 -0000

On 20/4/17 6:29 am, Dewayne Geraghty wrote:
> Scratch65535, I think your best solution is to use latest and upgrade when
> you need to.  Unlike Freddie's comment re only desktop users using latest.
> I ONLY upgrade my local svn of ports when there's a vulnerability or
> significant (for users) functional improvement of a port.
>
> It is a labour intensive exercise, monitoring CVE's for all
> externally-facing applications.
>
> Its a nice idea having a snapshot of ports, from the perspective of
> consistency, but that model doesnt suite our risk appetite on multiple
> levels; and in our view back-porting fixes to a quarterly snapshot - a good
> idea from a security perspective it is a really bad idea from a
> consistency/administrative/audit perspective.

We mirror the ports tree (and base) into p4 and also as svn, and use 
this to check out the head branch to whatever release we need.
Our scripts are capable of checking out a particular port at a 
(slightly) different rev to the default rev used for the rest, as 
sometimes we find we need a slightly newer rev of one port or 
another.  This sometimes doesn't work if there are framework changes 
that affect the port but mostly we find that it's ok if you just want 
to bump a port up a small amount to catch a bugfix,or take it back a 
bit to avoid a regression. We also do sparse checkouts of the ports 
tree ot save time, but that's another issue..

We therefore have all out pkgs (which we store with each release) at 
the same level of source tree so they all match.

>
> How the ports infrastructure can meet many conflicting objectives is
> something that we (the consumers of the ports service) must decide for our
> circumstance.  The use-the-latest paradigm suits individuals that manage
> their individual machine, but when you manage multiple clients' servers,
> the requirements are different (try meeting a SAS70-II/SAE16-SOC2, ISO27001
> SOA, NIST 800-53r5, etc)
>
> On a non-audit level, Microsoft might hold to monthly updates/fixes ("patch
> Tuesday") but bad guys don't.
> Regards, Dewayne.
> _______________________________________________
> freebsd-ports@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-ports
> To unsubscribe, send any mail to "freebsd-ports-unsubscribe@freebsd.org"
>