Date: Thu, 10 Apr 2014 22:39:12 +0200 From: John Marino <freebsd.contact@marino.st> To: Bryan Drewery <bdrewery@FreeBSD.org>, Janne Snabb <snabb@epipe.com>, freebsd-ports@freebsd.org, freebsd security <freebsd-security@freebsd.org> Subject: Re: Missing binary package security updates? Message-ID: <53470170.6010401@marino.st> In-Reply-To: <5346F98D.6030102@FreeBSD.org> References: <5346E459.3020207@epipe.com> <5346F98D.6030102@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 4/10/2014 22:05, Bryan Drewery wrote: > On 4/10/2014 1:35 PM, Janne Snabb wrote: >> >> I think I have noticed binary package updates only about once a week. Is >> my observation correct? Why such an infrequent update cycle? If there is >> some real reason to build package updates so rarely, would it be >> possible to hasten the cycle whenever serious issues like CVE-2014-0160 >> are found? > > (I am involved in building the packages) > > Yes packages currently start building Tuesday night. It takes until > Saturday/Sunday for all release/arch to finish building. As each > release/arch is finished the packages are uploaded. I think there is also some misconceptions here. There are over 24,000 packages. Even with incremental building, one week's worth of changes forces between 7000 and 15000 packages to rebuild. I assume some people think that touching 300 packages in a week means only 300 packages need to be rebuilt, but the reality is that it's hundreds. Depending on the machines and how many there are, it could take multiple days to make packages for just one platform. If it takes two days and there are 4 platforms to build, that's 8 days right there. So the words "infrequent update cycle" I think is a signal that these parameters aren't understood. (Note, I am not involved in building FreeBSD packages) >> Right now pkgng binary packages are not really suitable for production >> use because of lacking essential security updates. (There should be a >> loud and clear warning about this in the Handbook if it stays this way?) What would make it better? Even if somebody designed a particular vulnerability so important that it merited an out of cycle build (and all the ripples that would cause) it is still looking at 2-3 days cycle, minimum. How many of these security updates are "essential and can't wait 7 days?". heartbleed doesn't happen every day... Depending on what is deemed acceptable, I can't envision how binary packages (a courtesy ultimately) can be made good enough from a security standpoint. John
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53470170.6010401>