From owner-freebsd-ports@FreeBSD.ORG Thu Apr 10 20:39:51 2014 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 050B58A4; Thu, 10 Apr 2014 20:39:51 +0000 (UTC) Received: from shepard.synsport.net (mail.synsport.com [208.69.230.148]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D039311E4; Thu, 10 Apr 2014 20:39:50 +0000 (UTC) Received: from [192.168.0.20] (unknown [130.255.19.191]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by shepard.synsport.net (Postfix) with ESMTP id C2C6D43BA8; Thu, 10 Apr 2014 15:39:29 -0500 (CDT) Message-ID: <53470170.6010401@marino.st> Date: Thu, 10 Apr 2014 22:39:12 +0200 From: John Marino User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: Bryan Drewery , Janne Snabb , freebsd-ports@freebsd.org, freebsd security Subject: Re: Missing binary package security updates? References: <5346E459.3020207@epipe.com> <5346F98D.6030102@FreeBSD.org> In-Reply-To: <5346F98D.6030102@FreeBSD.org> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: marino@freebsd.org List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2014 20:39:51 -0000 On 4/10/2014 22:05, Bryan Drewery wrote: > On 4/10/2014 1:35 PM, Janne Snabb wrote: >> >> I think I have noticed binary package updates only about once a week. Is >> my observation correct? Why such an infrequent update cycle? If there is >> some real reason to build package updates so rarely, would it be >> possible to hasten the cycle whenever serious issues like CVE-2014-0160 >> are found? > > (I am involved in building the packages) > > Yes packages currently start building Tuesday night. It takes until > Saturday/Sunday for all release/arch to finish building. As each > release/arch is finished the packages are uploaded. I think there is also some misconceptions here. There are over 24,000 packages. Even with incremental building, one week's worth of changes forces between 7000 and 15000 packages to rebuild. I assume some people think that touching 300 packages in a week means only 300 packages need to be rebuilt, but the reality is that it's hundreds. Depending on the machines and how many there are, it could take multiple days to make packages for just one platform. If it takes two days and there are 4 platforms to build, that's 8 days right there. So the words "infrequent update cycle" I think is a signal that these parameters aren't understood. (Note, I am not involved in building FreeBSD packages) >> Right now pkgng binary packages are not really suitable for production >> use because of lacking essential security updates. (There should be a >> loud and clear warning about this in the Handbook if it stays this way?) What would make it better? Even if somebody designed a particular vulnerability so important that it merited an out of cycle build (and all the ripples that would cause) it is still looking at 2-3 days cycle, minimum. How many of these security updates are "essential and can't wait 7 days?". heartbleed doesn't happen every day... Depending on what is deemed acceptable, I can't envision how binary packages (a courtesy ultimately) can be made good enough from a security standpoint. John