Is there a security branch for the FreeBSD ports collection? Let's say, I installed FreeBSD 6.0 together with all needed -RELEASE ports/packages (i.e., those on the CD). Running security/portaudit after a while reveals that some of the installed packages have vulnerabilities. Am I on my own to go grab the fresh ports tree, and upgrade the affected software, suffering all the intricacies of the move by myself? Debian GNU/Linux has its security package updates, OpenBSD has a separately maintained "errata" ports branch (it's very likely you still get to download a newer release of the software, though). Sorry if this is a bit OT. I've already asked this on freebsd-questions@ but they told me there's no such thing at all.
On Tuesday, December 20, 2005 6:26 AM when we last met our heroes, owner-freebsd-stable@freebsd.org <> was heard to say:> Sorry if this is a bit OT. I've already asked this on > freebsd-questions@ > but they told me there's no such thing at all.And they were correct. The overhead of managing such a thing correctly would be significant, probably more than the overhead of managing the base port itself. -- Rob | Oh my God! They killed init! You bastards!
Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20051220/e7d611e9/attachment.bin
On Tuesday 20 December 2005 11:49, Yann Golanski wrote:> Quoth Melvyn Sopacua on Tue, Dec 20, 2005 at 11:43:55 +0100 > > > I had one that was safe to run in cron (in fact it ran in > > periodic/daily), but uses a cvs tree of ports, not cvsup to save > > time[1]. I lost it with a disk crash, but was going to recreate it > > anyway, might as well do it now if people are interested. > > Yeah, I'm interested. > > How did you deal with ports doing a "make config" before updating?... > That was the crunch for me -- hence lots of portupgrade hanging.Hmm, not sure why that's an issue. Maybe because I set PATH in my script? -- Melvyn Sopacua freebsd.stable@melvyn.homeunix.org FreeBSD 6.0-STABLE Qt: 3.3.5 KDE: 3.4.3
>>Imagine: Foo 1.2.3 that >>> was current at the time of FreeBSD 6.0 release gets a severe vuln after >>> some time. Some admins upgrade to the latest and greatest Foo 1.2.9, >>> others to Foo 1.2.7 (probably with not recently updated ports tree)... > > > If 1.2.7 is secure, there is no problem. If 1.2.7 is not, portaudit will not > let you upgrade. It seems to me, you need to farmiliarize yourself first with > the mechanisms in place already, before shooting it.Scrolling a couple of pages backwards, you suddenly realize that it was I who first mentioned the role of portaudit in maintaining the security info in this "thread". Nevermind. There _might_ be a problem if one always upgrades to a newer release, this way or another, right on the production machine. The whole point of security updates is making users' lives easier. You upgrade, you want the software-OS bundle to behave, feel and touch _exactly_ the same way it did before. Once again, FreeBSD already _does_ that to the base system.
>>Imagine: Foo 1.2.3 that >>> was current at the time of FreeBSD 6.0 release gets a severe vuln after >>> some time. Some admins upgrade to the latest and greatest Foo 1.2.9, >>> others to Foo 1.2.7 (probably with not recently updated ports tree)... > > > If 1.2.7 is secure, there is no problem. If 1.2.7 is not, portaudit will not > let you upgrade. It seems to me, you need to farmiliarize yourself first with > the mechanisms in place already, before shooting it.Scrolling a couple of pages backwards, you suddenly realize that it was I who first mentioned the role of portaudit in maintaining the security info in this "thread". Nevermind. There _might_ be a problem if one always upgrades to a newer release, this way or another, right on the production machine. The whole point of security updates is making users' lives easier. You upgrade, you want the software-OS bundle to behave, feel and touch _exactly_ the same way it did before. Once again, FreeBSD already _does_ that to the base system.