Date: Thu, 20 Apr 2017 08:29:51 +1000 From: Dewayne Geraghty <dewaynegeraghty@gmail.com> To: scratch65535@att.net Cc: freebsd-ports <ports@freebsd.org> Subject: Re: Is pkg quarterly really needed? Message-ID: <CAGnMC6oMNbJA1hOXUX99owDhnP%2Br4p1-6x3dca_N_PL_RL_7AA@mail.gmail.com> In-Reply-To: <ljhffcphq3bqr8dk2lrlld11ola28b7gqp@4ax.com> References: <58F61A8D.1030309@a1poweruser.com> <CALfReyctL3vTt756oyh1ZTf%2BkgpAOHwp_SUZQCFQiZDccFNMow@mail.gmail.com> <ljhffcphq3bqr8dk2lrlld11ola28b7gqp@4ax.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Scratch65535, I think your best solution is to use latest and upgrade when
you need to. Unlike Freddie's comment re only desktop users using latest.
I ONLY upgrade my local svn of ports when there's a vulnerability or
significant (for users) functional improvement of a port.
It is a labour intensive exercise, monitoring CVE's for all
externally-facing applications.
Its a nice idea having a snapshot of ports, from the perspective of
consistency, but that model doesnt suite our risk appetite on multiple
levels; and in our view back-porting fixes to a quarterly snapshot - a good
idea from a security perspective it is a really bad idea from a
consistency/administrative/audit perspective.
How the ports infrastructure can meet many conflicting objectives is
something that we (the consumers of the ports service) must decide for our
circumstance. The use-the-latest paradigm suits individuals that manage
their individual machine, but when you manage multiple clients' servers,
the requirements are different (try meeting a SAS70-II/SAE16-SOC2, ISO27001
SOA, NIST 800-53r5, etc)
On a non-audit level, Microsoft might hold to monthly updates/fixes ("patch
Tuesday") but bad guys don't.
Regards, Dewayne.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGnMC6oMNbJA1hOXUX99owDhnP%2Br4p1-6x3dca_N_PL_RL_7AA>