Date: Tue, 20 Dec 2005 12:39:07 +0100 From: Marwan Burelle <burelle@lri.fr> To: Melvyn Sopacua <freebsd.stable@melvyn.homeunix.org> Cc: freebsd-stable@freebsd.org Subject: Re: ports security branch Message-ID: <20051220113907.GB66112@melkor.kh405.net> In-Reply-To: <200512201215.30165.freebsd.stable@melvyn.homeunix.org> References: <43A7A3F7.7060500@mail.ru> <43A7DA65.1020801@mail.ru> <20051220110315.GA66112@melkor.kh405.net> <200512201215.30165.freebsd.stable@melvyn.homeunix.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--pvezYHf7grwyp3Bc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Dec 20, 2005 at 12:15:30PM +0100, Melvyn Sopacua wrote: > On Tuesday 20 December 2005 12:03, Marwan Burelle wrote: >=20 > > Relying on the maintainer work is a good starting point, you may trust > > him for doing only the needed updates for those ports that requier > > security concerns. But even here, major updates of widely used libs > > imply rebuild of most of the ports, even when no security issue > > arises. >=20 > No it doesn't. Only with static linking or when interfaces changed, which= is=20 > not always the case. The fact that the gnome project is fond of changing= =20 > library versions with every release doesn't mean there aren't sane projec= ts. > Typically security patches do not update library versions, allthough it i= s=20 > possible if the interface is insecure by design. I think you don't understand my point. Regarding actual state of the ports tree, when some thing like gettext have a major version bumps, you need to rebuild most of the ports or do some tricks with links or libmap.conf (if the major number change wasn't justify) since when loading dynamic libs for an executable the major number is relevant. This just mean that you could not just do a cvsup+portupgrade, even if you just have "security related" apps, if you only want security updates, you first need to track which ports have security updates and hope that this doesn't not involve updating all the tree (for exemple, your port foo has move to a new version with security concerns on the old one, but at the same time this involve moving to the last version of libbar since its interface has changed and last foo use the new version, since libbar is widely used you now need updating most of your ports even if they don't have any security updates ... ) The point is not that this is always true, but that you have to handle those kinds of problems if you want to maintain a security branch for ports. --=20 Marwan Burelle, http://www.lri.fr/~burelle ( burelle@lri.fr | Marwan.Burelle@ens.fr ) http://www.cduce.org --pvezYHf7grwyp3Bc Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDp+1bI+2UvUKfgvgRAhdoAJ9/dNUH/kjVZ4VEpZ9tTXP9XU+jmwCfVh7b 0ZVUgJ0oW/MhqgyKz2rnvtE= =1+ql -----END PGP SIGNATURE----- --pvezYHf7grwyp3Bc--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051220113907.GB66112>