You can pay someone to build them for you, where M:Tier springs to mind. Also, having a build host (or vm) somewhere running -stable and (re)building any updated -stable port for your particular platform isn't all that difficult and hard, especially if its just about a single or a specific small subset of ports.
Building ports numbering upwards to 10000 or whatever todays list is, and co-publishing it as any single on gets an update takes a certain amount of effort, for which snapshots right now only get that kind of attention, and the per-6month package builds. So the juxtaposition thing is a bit weird, since updates do get published, its just that you also need to chip in with a bit of effort if your particular port got a security update in -stable. So the project can still be about security if it does updates, even if you can't just lean back and open your mouth and get spoonfed precompiled binaries the same day. The project updates -stable and -current ports (and base) in terms of cvs commits. The prebuilt packages, if any, are a nice bonus on top of that. 2016-08-19 9:45 GMT+02:00 Mark Carroll <m...@ixod.org>: > On 19 Aug 2016, thu...@yeuxdelibad.net wrote: > > > I was wondering if packages for -release would be fixed if a security > > issue is found in one of these third party programs, which could be > > updated with pkg_add -u. > > It's a good question. I was quite amused to notice the juxtaposition of: > > ] Our aspiration is to be NUMBER ONE in the industry for security (if we > ] are not already there). > > ] The ports tree is meant for advanced users. Everyone is encouraged to > ] use the pre-compiled binary packages. > > ] When serious bugs or security flaws are discovered in third party > ] software, they are fixed in the -stable branch of the ports tree. Note > ] that binary packages for -release and -stable are not updated. > > I am guessing that your fear is correct but it's a matter of resource > availability given the effort it takes to keep the core system great. If > we want security updates for binary packages then I'd hope that people > agree it to be a good idea in the abstract but we probably need to > volunteer actual work (or donate more!) if it is to actually happen. > > -- Mark > > -- May the most significant bit of your life be positive.
