b...@openbsd.rutgers.edu wrote:
On 31 March 2009 at 0:56, Stefan Sperling <s...@stsp.name> wrote:
On Mon, Mar 30, 2009 at 07:22:08PM -0400, Aaron W. Hsu wrote:
It's much easier for people in -STABLE to just run the stable packages.
That is still probably the best advice for most people.
Yes.
Also, due to various exploit mitigation techniques in OpenBSD,
many bugs that show up in ports are not exploitable or harder to exploit:
http://cvs.openbsd.org/papers/ven05-deraadt/index.html
If you additionally use things like noscript in firefox,
as a desktop user you are already much safer than most other
desktop users out there.
true...
[snip]
If you run critical and publicly accessible OpenBSD servers, of course
you will want to patch all services from ports you are running as soon
as security updates become available upstream. And when you're running
these kinds of servers there's certainly no harm in learning how to patch
ports yourself. Although it might be tedious to do, but that's why we have
the current -stable ports situation.
That's where I am: production servers with software that needs security
fixes.
On the other hand, I don't think anyone would complain if there were
someone tracking the security updates and making sure that they got in
to -STABLE or at least that the patches were sent to po...@.
http://openbsd.rutgers.edu/4.4-stable/ looks like a good start.
Do all those patches get posted to po...@? Do people use them?
If so, that's a great start.
Thanks, Ian and I try. They aren't all posted to ports, though Ian has
shared some here. It was discouraged so we try to not spam the list
(though there is another list setup for -stable ports discussion).
:-) as best we can. I've probably been a little slacking of
late....................I digress.......
I usually submit to ports@ just so the stuff I work on finds it way into
the archive incase people are searching.
Is it used? Yes, but not as much as I'd expect... especially given how
many people talk about it. I use it in production on several machines.
As do I.
Is this the new de-facto standard -stable ports tree yet?
:-)
I was hoping someday... that was why we take the time to produce
per-port patches. But I've been doing this since -stable ports was
abandoned ~4.1. Few if any have ever gotten committed to the official
tree, although several committers have been interested at one time or
another.
Per port patches make it easier for you to see the changes. Are people
interested enough in a stable cvs tree? The only issue here is it won't
be a sanctioned OpenBSD cvs stable ports tree and your probably going to
be diffing it against a release tree anyway to see the changes.
Just what grabs peoples fancy with regard -stable ports???
Ian McWilliam
