freebsd security - Aug 2015 - Quarterly packages and security updates...

[info@ removed, not sure why that email address was included.]

On Thu, Aug 13, 2015 at 04:20:08PM -0400, Mason Loring Bliss
wrote:
> A recently quarterly report:
> 
>     https://www.freebsd.org/news/status/report-2015-04-2015-06.html
> 
> and last week's BSD Now episode both hint that quarterly packages will
be the
> default for 10.2. I just looked, and sure enough:
> 
>    
https://svnweb.freebsd.org/base/releng/10.2/etc/pkg/FreeBSD.conf?view=markup
> 
> So, my issue here is that I run quarterly branches, and they are awful in
> terms of security updates. With FreeBSD 10.2 imminent, are we expecting
users
> to install vulnerable versions of things like Firefox right off the bat,
and
> then wait for whatever fixes exist at the time the next quarterly branch is
> cut?
> 
The reason this change was made is because the quarterly package set
receives less intrusive updates, but it does still receive security
updates.

This is documented in the 10.2-RELEASE release notes, which also shows
how to change back to the 'latest' branch, if you so desire.

https://www.freebsd.org/releases/10.2R/relnotes.html#releng-changes

Glen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL:
<http://lists.freebsd.org/pipermail/freebsd-security/attachments/20150813/8874924e/attachment.bin>

On Thu, Aug 13, 2015 at 08:40:23PM +0000, Glen Barber wrote:
> [info@ removed, not sure why that email address was included.]
I'm hoping for pressure from above, as this is an important step that's
evidently being taken without quarterly branch security being bumped up in
priority. It seems to come as a surprise to many folks, and certainly I
wasn't aware of it until last week. (Also, board@ is now deprecated.)

I think the change to a default quarterly branch a fantastic idea, but
without additional security updates it's got an ugly element of risk
associated with it, too. It will be the default, so as it stands, more folks
will be running vulnerable software.

> The reason this change was made is because the quarterly package set
> receives less intrusive updates, but it does still receive security
> updates.
I included the "pkg audit" output explicitly to demonstrate that there
are
some gaping holes that will be deployed starting next week.

> This is documented in the 10.2-RELEASE release notes, which also shows
> how to change back to the 'latest' branch, if you so desire.
As noted, I'm already on the quarterly branches, because I think it's a
great
idea generally. Falling back to the high-churn option to get access to
security patches when what you want is a stable environment is an awful idea.

I'm hoping that we do this, but do it right. I can't see how anyone
could
find fault with my expressing this concern, honestly.

-- 
Mason Loring Bliss  ((   If I have not seen as far as others, it is because
 mason at blisses.org   ))   giants were standing on my shoulders. - Hal Abelson