interim port versions

Matthew Seaman m.seaman at infracaninophile.co.uk
Fri Oct 22 09:01:36 PDT 2004 

On Fri, Oct 22, 2004 at 06:50:13AM -0700, Randall Foster wrote:
> I'm new to the bsd's, came from linux and i'm having a bit of difficulty
> figuring out the general philosophy.
> 
> One of the major reasons that i decided to try out the 'bsds'  is
> because of the security.  I'm having a hard time however figuring out
> how security issues in the ports get dealt with when there is a port
> freeze, like now.  The best example i can think of is gaim...(i almost
> didn't recheck the port on the 4.10 tree, it's now mysteriously up to
> date, phew.)

The ports freeze is over now, and has been for about the past
fortnight.

Even if there's a ports freeze on, a security bugfix is one of the
class of things that portmgr will generally permit committal of -- for
instance there were a whole row of fixes that went into Mozilla and
allied ports during the last freeze.

Note also that development on the ports tree is not branched --
ie. there isn't a special version of the ports tree to match each
available version of the OS.  Despite the impression to the contrary
that having the per-release pre compiled packages available from the
archives gives.  If you're using ports, for best results, you should
be regularly using cvsup(1) to synch with the latest state of the
ports tree, and you should probably be regularly updating your
installed ports to the latest versions by using portupgrade(1) or
otherwise.  Similarly if you're using pre-compiled packages (which you
can mix freely with ports from the tree, so long as the dependencies
all still match) -- except that the pre-compiled packages don't get
updated as quickly as the ports tree in general.
 
> ......slightly altered next paragraph....
> lets say i found out there is a msn slp buffer overflow (like currently)
> and i wanted to protect myself....so i cvsuped my ports tree and then
> wanted to portupgrade....... problem is...since it's a port freeze...up
> until a few days ago it's still at 0.82  not the 1.02 that is out now, I
> watched it and never saw version 1.00 or 1.01.  Are the ports frozen
> _except_for_security_fixes or am i missing something.

You are missing something.  Security fixes will be applied. 
 
> I looked around on the lists for this but didn't see it and it seems
> like a fairly big deal if security issues arise during a freeze.

In order to be notified of any known security problems in the ports
you have installed, install the security/portaudit port.  You'll get a
report of any problems added to your daily e-mail.

In addition to that, use http://vuxml.freebsd.org/ for all of the
known security issues with the ports over the last 20-odd months
(since the VuXML database was created).

Also check out http://beta.freshports.org/ which will show you any
issues known to affect any particular version of a port.  Use the
watchlist feature to receive notification of updates to any ports
you're interested in.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20041022/e2e774b6/attachment.bin

More information about the freebsd-questions mailing list