On 2023/08/30 07:39, Oikei wrote: > Hello, I'm new to OpenBSD so im unsure if im doing something wrong or if im > even posting to the right mailing list > It has come to my attention that the net/synapse package is 14 updates behind > and is vulnerable. I checked openbsd.app and the net/synapse package really > is 14 updates behind, with it being on 1.76 while the latest is 1.90. > Checking the source on github: > https://github.com/openbsd/ports/tree/master/net/synapse > it was updated last month and is on 1.89. > > So my question is, why is the latest version in the repos 1.76 when looking > at the source its on 1.89? Sorry if I totally missed something...
You can't tell from the git mirror*, but if you look in the original CVS repo (https://cvsweb.openbsd.org/ports/net/synapse/Makefile) you'll see some commits with CVS tags e.g. OPENBSD_7_3 and some without. Those without tags are only in -current snapshots not a release. Often ports security updates do get backported to the most recent OpenBSD release (with binary packages built for some common cpu archs), but synapse is a super fast changing target and very often requires specific new versions of other ports, so it's not a great candidate for that, it's too hard to check that all those other updates don't break older versions of other ports. So if you're running software like this I recommend running snapshots and updating both base and all packages fairly often. * (we didn't find any git conversion tool that looks at CVS tags which can actually handle the OpenBSD repo).