* On 2014-06-26 at 14:44 BST, Anil Jangity wrote: > So, I am using 2014Q1 dataset and ‘pkg_admin audit’ already reports > several vulnerabilities in standard stack (mysql, php, http…). I > don’t know the severity of each of them, I assume these aren’t > critical since these aren’t getting fixed? > > Or is the expectation these would be fixed since that is the latest > dataset?
Not all vulnerabilities are fixed, a lot may not even be fixed upstream yet. We work on the basis of reporting everything, and then leaving it to the user to decide whether they wish to keep using the software or not, depending on the severity of the vulnerability. 2014Q1 is maintained, you can see the upstream commits to it here: https://github.com/joyent/pkgsrc/commits/pkgsrc_2014Q1 The majority of those pullup requests are for vulnerability fixes. > Being able to see what’s vulnerable with pkg_admin is nice but I > think it’s a necessity to have a maintained dataset for longer > periods of time. It’s tough to ask clients and tell them to > re-provision all the time. Even with an LTS release you will see lots of vulnerability reports, by the very nature of running older versions you will often end up with an unsupported release of software where upstream don't care about back-porting fixes and will expect you to update to the latest, which will not be possible in an LTS release. -- Jonathan Perkin - Joyent, Inc. - www.joyent.com ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
