ports security branch

rihad rihad at mail.ru
Tue Dec 20 04:26:55 PST 2005


Marwan Burelle wrote:
> On Tue, Dec 20, 2005 at 02:18:13PM +0400, rihad wrote:
> 
>>A very interesting script for its own purpose, but I'm afraid this 
>>doesn't answer my question at all. Perhaps seeing the way that e.g. 
>>Debian deals with the upgrade problem might shed some light on the 
>>issue. Hell, FreeBSD does exactly that for the base world+kernel, too! 
>>Not for the ports, though.
> 
> 
> The "debian way" is too have a frozen tree and restraint updates, this
> induces at least a two level maintaining, one that follows
> "on-the-edge" updates and the other that only follow security
> updates. The problem is that most applications don't work like that,
> they don't maintain two branches, and thus you need (or the maintainer
> of the ports needs) to maintain a bunch of security patches for that
> app that doesn't have any dependance links (or at least only  to other
> security updates ... )
> 
> This is a lot of work, and IMHO that's why debian stable is so often
> outdated (and some time completely obsolete.) This also raises
> questions like "when should we move to the next/last release ?",
> "Is that patch-set too important ?" ...
> 
> My own experience shows me that most of the time when you only need
> security updates, that means that your boxe is "specialized" in some
> way with a small set of installed ports and thus every updates in the
> tree for those ports are relevant. Otherwise, you may want to have up
> to date ports because it's providing you with shiny new features ;)
> 

I think Debian does an excellent job of taking the common load off of 
the shoulders of its users by providing security package updates with no 
changes in functionality wherever possible. Change in software 
functionality, configs, dependencies etc. almost always hurts, that's 
what Debian are trying to save its users from. Imagine: Foo 1.2.3 that 
was current at the time of FreeBSD 6.0 release gets a severe vuln after 
some time. Some admins upgrade to the latest and greatest Foo 1.2.9, 
others to Foo 1.2.7 (probably with not recently updated ports tree)... 
Still with me? Factoring this security upgrade path in the OS so that 
all users get the same fix and functionality is a very hard thing to do 
and maintain, I'd guess.

FreeBSD's "latest and greatest" attitude is very relevant for desktop 
users and such. I think it would be even better to make 
security-conscious server admins' lives even better. Put up a box, 
forget about it, do a major upgrade in a year. Oversimplifying here...


More information about the freebsd-stable mailing list