ports security branch
Marwan Burelle
burelle at lri.fr
Tue Dec 20 03:39:20 PST 2005
On Tue, Dec 20, 2005 at 12:15:30PM +0100, Melvyn Sopacua wrote:
> On Tuesday 20 December 2005 12:03, Marwan Burelle wrote:
>
> > Relying on the maintainer work is a good starting point, you may trust
> > him for doing only the needed updates for those ports that requier
> > security concerns. But even here, major updates of widely used libs
> > imply rebuild of most of the ports, even when no security issue
> > arises.
>
> No it doesn't. Only with static linking or when interfaces changed, which is
> not always the case. The fact that the gnome project is fond of changing
> library versions with every release doesn't mean there aren't sane projects.
> Typically security patches do not update library versions, allthough it is
> possible if the interface is insecure by design.
I think you don't understand my point. Regarding actual state of the
ports tree, when some thing like gettext have a major version bumps,
you need to rebuild most of the ports or do some tricks with links or
libmap.conf (if the major number change wasn't justify) since when
loading dynamic libs for an executable the major number is
relevant.
This just mean that you could not just do a cvsup+portupgrade, even if
you just have "security related" apps, if you only want security
updates, you first need to track which ports have security updates and
hope that this doesn't not involve updating all the tree (for exemple,
your port foo has move to a new version with security concerns on the
old one, but at the same time this involve moving to the last version
of libbar since its interface has changed and last foo use the new
version, since libbar is widely used you now need updating most of
your ports even if they don't have any security updates ... )
The point is not that this is always true, but that you have to handle
those kinds of problems if you want to maintain a security branch for
ports.
--
Marwan Burelle,
http://www.lri.fr/~burelle
( burelle at lri.fr | Marwan.Burelle at ens.fr )
http://www.cduce.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20051220/59ae65df/attachment.bin
More information about the freebsd-stable
mailing list