Re: interim port versions
On Fri, Oct 22, 2004 at 06:50:13AM -0700, Randall Foster wrote: > I'm new to the bsd's, came from linux and i'm having a bit of difficulty > figuring out the general philosophy. > > One of the major reasons that i decided to try out the 'bsds' is > because of the security. I'm having a hard time however figuring out > how security issues in the ports get dealt with when there is a port > freeze, like now. The best example i can think of is gaim...(i almost > didn't recheck the port on the 4.10 tree, it's now mysteriously up to > date, phew.) The ports freeze is over now, and has been for about the past fortnight. Even if there's a ports freeze on, a security bugfix is one of the class of things that portmgr will generally permit committal of -- for instance there were a whole row of fixes that went into Mozilla and allied ports during the last freeze. Note also that development on the ports tree is not branched -- ie. there isn't a special version of the ports tree to match each available version of the OS. Despite the impression to the contrary that having the per-release pre compiled packages available from the archives gives. If you're using ports, for best results, you should be regularly using cvsup(1) to synch with the latest state of the ports tree, and you should probably be regularly updating your installed ports to the latest versions by using portupgrade(1) or otherwise. Similarly if you're using pre-compiled packages (which you can mix freely with ports from the tree, so long as the dependencies all still match) -- except that the pre-compiled packages don't get updated as quickly as the ports tree in general. > ..slightly altered next paragraph > lets say i found out there is a msn slp buffer overflow (like currently) > and i wanted to protect myselfso i cvsuped my ports tree and then > wanted to portupgrade... problem is...since it's a port freeze...up > until a few days ago it's still at 0.82 not the 1.02 that is out now, I > watched it and never saw version 1.00 or 1.01. Are the ports frozen > _except_for_security_fixes or am i missing something. You are missing something. Security fixes will be applied. > I looked around on the lists for this but didn't see it and it seems > like a fairly big deal if security issues arise during a freeze. In order to be notified of any known security problems in the ports you have installed, install the security/portaudit port. You'll get a report of any problems added to your daily e-mail. In addition to that, use http://vuxml.freebsd.org/ for all of the known security issues with the ports over the last 20-odd months (since the VuXML database was created). Also check out http://beta.freshports.org/ which will show you any issues known to affect any particular version of a port. Use the watchlist feature to receive notification of updates to any ports you're interested in. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgpOvLghRRMf6.pgp Description: PGP signature
Re: interim port versions
On Fri, Oct 22, 2004 at 06:50:13AM -0700, Randall Foster wrote: > I'm new to the bsd's, came from linux and i'm having a bit of difficulty > figuring out the general philosophy. > > One of the major reasons that i decided to try out the 'bsds' is > because of the security. I'm having a hard time however figuring out > how security issues in the ports get dealt with when there is a port > freeze, like now. The best example i can think of is gaim...(i almost > didn't recheck the port on the 4.10 tree, it's now mysteriously up to > date, phew.) > > ..slightly altered next paragraph > lets say i found out there is a msn slp buffer overflow (like currently) > and i wanted to protect myselfso i cvsuped my ports tree and then > wanted to portupgrade... problem is...since it's a port freeze...up > until a few days ago it's still at 0.82 not the 1.02 that is out now, I > watched it and never saw version 1.00 or 1.01. Are the ports frozen > _except_for_security_fixes or am i missing something. > > > I looked around on the lists for this but didn't see it and it seems > like a fairly big deal if security issues arise during a freeze. Easy..if a security fix is submitted to portmgr during a freeze, it's almost always going to be approved. Kris pgpknLrKiX7xC.pgp Description: PGP signature
RE: interim port versions
Qucik question: Whats a port freeze? From: "Aaron P. Martinez" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: interim port versions Date: Thu, 21 Oct 2004 18:48:18 -0500 I'm new to the bsd's, came from linux and i'm having a bit of difficulty figuring out the general philosophy. One of the major reasons that i decided to try out the 'bsds' is because of the security. I'm having a hard time however figuring out how security issues in the ports get dealt with when there is a port freeze, like now. The best example i can think of is gaim...(i almost didn't recheck the port on the 4.10 tree, it's now mysteriously up to date, phew.) ..slightly altered next paragraph lets say i found out there is a msn slp buffer overflow (like currently) and i wanted to protect myselfso i cvsuped my ports tree and then wanted to portupgrade... problem is...since it's a port freeze...up until a few days ago it's still at 0.82 not the 1.02 that is out now, I watched it and never saw version 1.00 or 1.01. Are the ports frozen _except_for_security_fixes or am i missing something. I looked around on the lists for this but didn't see it and it seems like a fairly big deal if security issues arise during a freeze. Thanks in advance, Aaron ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" _ Express yourself instantly with MSN Messenger! Download today - it's FREE! hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: interim port versions
On Oct 26, 2004, at 3:52 PM, Spiral Eyed Girl wrote: Quick question: Whats a port freeze? Normally, the port committers make changes to the ports tree all of the time, on a continuing basis. A ports freeze occurs to help get the ports tree caught up and avoid making sweeping changes just before a new version of the OS is released. See: http://www.freebsd.org/releng/index.html During a ports freeze, changes need to be approved by portmgr. -- On Oct 21, 2004, at 7:48 PM, Aaron P. Martinez wrote: I'm new to the bsd's, came from linux and i'm having a bit of difficulty figuring out the general philosophy. OK. (Welcome!) One of the major reasons that i decided to try out the 'bsds' is because of the security. I'm having a hard time however figuring out how security issues in the ports get dealt with when there is a port freeze, like now. The best example i can think of is gaim...(i almost didn't recheck the port on the 4.10 tree, it's now mysteriously up to date, phew.) As I mentioned above, the ports tree still changes during a freeze. Security fixes to ports are very likely to get quick approval by portmgr. ..slightly altered next paragraph lets say i found out there is a msn slp buffer overflow (like currently) and i wanted to protect myselfso i cvsuped my ports tree and then wanted to portupgrade... problem is...since it's a port freeze...up until a few days ago it's still at 0.82 not the 1.02 that is out now, I watched it and never saw version 1.00 or 1.01. Are the ports frozen _except_for_security_fixes or am i missing something. I was going to say, "the latter", but maybe it's a little of both. :-) Note that you are free to update ports manually. Try looking for a PR containing the changes to update the port(s) you care about, or perhaps by doing the work yourself. I looked around on the lists for this but didn't see it and it seems like a fairly big deal if security issues arise during a freeze. This issue was recently discussed here: http://docs.freebsd.org/cgi/getmsg.cgi?fetch=146244+0+/usr/local/www/ db/text/2004/freebsd-current/20041017.freebsd-current http://docs.freebsd.org/cgi/getmsg.cgi?fetch=149246+0+archive/2004/ freebsd-current/20041017.freebsd-current -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
