Security Patches for Port Applications in Releases
Jason C. Wells
jcw at highperformance.net
Wed Jan 17 09:14:40 UTC 2007
Stevan Tiefert wrote:
> Hello list,
>
> I installed the new release 6.2 on my workstation. I installed also
> portaudit
> and run it immediatly afterwards. What have I to see? 5 vulnerable
> packages
> in my release.
>
The whole OSS community is a moving target. Security is not a static
thing. For FreeBSD to select any given time to release software for OSS
to be bug free is preposterous. Hence, you get vulnerable software even
in the packages that are tagged with your release.
> My questions:
> - Why can I update FreeBSD with security-patches and the
> Release-Packages have no security-patches?
>
The answer to the first part of your question is because FreeBSD decided
to provide such a nice service. That only rolled out in version 4 I
think. It used to be that you would track -stable. Now you get an even
more conservative security update branch.
The answer to the second part of your question is that the FreeBSD port
maintainers are not the people fundamentally working on the security of
the ports. Security patches would be produced by some third party.
FreeBSD would need to spawn yet another CVS branch to maintain the
security update branches of ports from those third parties. Yuck!
Nothing prevents a user from downloading a specific port from -HEAD and
upgrading it. You can do that or you can get the patches from the third
party source and apply them yourself.
Managing 13,000 third party applications to the level of detail that you
inquire about is way beyond what I would ask of FreeBSD. What they do
now is already extraordinary.
> - What are then the advantages of release-packages/ports to
> current-ports if I can not update release-packages with security-patches?
>
But you _can_ update the release-packages. It's just that some
maintainer or the FreeBSD project won't make it brain dead simple like
it is for updating the main branches.
I personally run only so-called -release ports. The reason I do is it
seems to reduce the amount of version dependency headaches I suffer.
When I used to track the ports (which are in -head) with cvsup I would
end up with 4 different versions of gmake, autoconf, libtool et al.
Yuck! I think that's a good reason to run ports that are tagged with
the current release. There's a lot more stability and a lot less work.
That is advantage enough for me.
> - Is an security-patch-update-system for release-packages/ports planned?
One exists. It's just not as easy as it is for the main release branches.
Release-packages is something of a misnomer anyway. A more pedantic but
more accurate name would be
"packages-that-just-happened-to-be-in-HEAD-when-we-pulled-the-release-switch-with-extra-care-given-to-gnome-and-kde".
What I mean to say is that it is inappropriate to place any more trust
or scrutiny on a release-package. The release-package distinction is
almost entirely accidental. (yes, i know more care goes into ports near
a release date)
Later,
Jason C. Wells
More information about the freebsd-chat
mailing list