* On 2014-06-05 at 09:16 BST, Anil Jangity via smartos-discuss wrote: > Does SmartOS/Joyent plan to deliver LTS versions of the user-land > datasets (pkgsrc)?
It's something we will probably have to implement at some point, as it will get to the stage where we just have a crazy number of branches we're trying to maintain. We will likely be open to hear from customers/users on what would suit them in this regard, as it doesn't matter much to us what the schedule would be, so input on what would make sense for you would be welcome. > What is the recommended upgrade path from one release to another? The recommended upgrade path is always to re-provision and migrate your data across. It is the only way to ensure that everything is in sync and working correctly. Whilst it may seem a bit of a burden compared to some magical dist-upgrade (which will never handle every case 100% perfectly), it does have benefits that it forces you into proper configuration management and separation of configuration and data. > I know the sets are released every quarter, does the > quarter-minus-one release no longer get maintained when a new one is > out? Officially, yes. The pkgsrc releng team only maintain the most recent branch, which is currently 2014Q1. As soon as 2014Q2 is cut at the end of this month, 2014Q1 will no longer receive security fixes. However, we know that many customers and users do not keep in sync with the most recent releases, so we (Joyent) continue to maintain older branches on a best-effort basis. For example, with Heartbleed we backported the OpenSSL upgrade to all vulnerable branches, which you will not find in upstream pkgsrc. It is recommended that you always use the latest release and upgrade as soon as you can, as we cannot guarantee that we will backport every security fix. It's worth noting at this point that pkgsrc has native support for reporting on vulnerable packages. We have a pkgsrc security team who maintain a file containing all known vulnerabilities, and it is matched against the packages you have installed. To use it, run: $ pkg_admin fetch-pkg-vulnerabilities $ pkg_admin audit You may find with older images that there are rather a lot of matching vulnerabilities! Regards, -- Jonathan Perkin - Joyent, Inc. - www.joyent.com ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
