Date: Thu, 10 Apr 2014 15:05:33 -0500 From: Bryan Drewery <bdrewery@FreeBSD.org> To: Janne Snabb <snabb@epipe.com>, freebsd-ports@freebsd.org, freebsd security <freebsd-security@freebsd.org> Subject: Re: Missing binary package security updates? Message-ID: <5346F98D.6030102@FreeBSD.org> In-Reply-To: <5346E459.3020207@epipe.com> References: <5346E459.3020207@epipe.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --NHBbLboAnfNiJilJHEDhm9VMCsLtOGhU6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 4/10/2014 1:35 PM, Janne Snabb wrote: > Hi, >=20 > I recently started using the new fancy pkgng binary packages on some > machines that I maintain. I thought I could save a lot of time as I > would not need to keep compiling ports manually any more. >=20 > Unfortunately it seems that it was not such a good idea: >=20 > # date > Thu Apr 10 21:27:22 EEST 2014 > # pkg audit > openssl-1.0.1_9 is vulnerable: > OpenSSL -- Multiple vulnerabilities - private data exposure > CVE: CVE-2014-0076 > CVE: CVE-2014-0160 > WWW: http://portaudit.FreeBSD.org/5631ae98-be9e-11e3-b5e3-c80aa9043978.= html >=20 > 1 problem(s) in the installed packages found. > # pkg upgrade > Updating repository catalogue > Nothing to do > # >=20 > This is on FreeBSD 8/i386. >=20 > I think I have noticed binary package updates only about once a week. I= s > my observation correct? Why such an infrequent update cycle? If there i= s > some real reason to build package updates so rarely, would it be > possible to hasten the cycle whenever serious issues like CVE-2014-0160= > are found? (I am involved in building the packages) Yes packages currently start building Tuesday night. It takes until Saturday/Sunday for all release/arch to finish building. As each release/arch is finished the packages are uploaded. I did want to expedite updating this package but was blocked by a number of things. I regret we did not, and will not, have a package available sooner for all release/archs. I have started an internal discussion on building packages more frequently for security updates. >=20 > Right now pkgng binary packages are not really suitable for production > use because of lacking essential security updates. (There should be a > loud and clear warning about this in the Handbook if it stays this way?= ) >=20 > Best Regards, >=20 --=20 Regards, Bryan Drewery --NHBbLboAnfNiJilJHEDhm9VMCsLtOGhU6 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTRvmNAAoJEDXXcbtuRpfPdHIH/0OLeUDa5/rd2OGRkfzAhYRK 2+iflU9p5JYy0hKYVWo6h8qcjT6Ask/7DkFVYMqoJ1S0YUa07CqpSjWKIfArh4nW aJKm5YORcwwY5RJCcc3+W0ykEvWmB2DlqIPZHXB3Y8TcaC9C2+N4K3eKOp7GUDE/ fNcvTJUBAq/z5JiDNUVmLC1hZXoYeEq+WP1T7jnWYbDBNCkEtzjpchUAnkX7fzbC UsWZSOMsRPpTYmdG9FHmneUVKQOWr8vEPOH7CQdQej9aLn8UhaotDimLQlTfy/K1 KIm6pw4DP+CYOa3uBGdLmMcCxcGOwuEKJsasmO1b7YCyMLOFm8V84Is3gT+qDZQ= =mVxs -----END PGP SIGNATURE----- --NHBbLboAnfNiJilJHEDhm9VMCsLtOGhU6--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5346F98D.6030102>