pkgng package repository tracking security updates

[n j]

On Mon, Jan 14, 2013 at 3:43 PM, Matthew Seaman <
m.seaman at infracaninophile.co.uk> wrote:

> On 14/01/2013 14:36, n j wrote:
> > The point of my question was exactly if it was possible to elaborate on
> the
> > "pre-compiled packages from FreeBSD official repositories" part. Would it
> > be possible to have a (security-wise) up-to-date pre-compiled packages in
> > the official repositories? Note, I don't expect an unreasonable effort
> here
> > - I understand there will always be delays between upstream fix --> ports
> > fix --> up-to-date package and it is acceptable for the binary package to
> > lag a few days behind the port (depending on the availability of package
> > building cluster or maintainer upload).
>
> Yes, there will be a pkgng package building cluster which will track
> updates to the ports and provide as up-to-date a collection of packages
> as possible for at least x86, amd64 on all supporter FreeBSD branches
> and head.  Possibly other architectures as well.
>
> However, as all that is still under construction (and construction plans
> have been heavily revised in the light of the earlier security
> compromise) I have no good idea of what sort of turn-around will be
> possible.  I expect at least as good as the old pkg build cluster
> managed and probably better.
>
>         Cheers,
>
>         Matthew
>

Thanks, that's encouraging news.

One thing to think about would be the option of port maintainers uploading
the pre-compiled package of the updated port (or if the size of the upload
is an issue then just the hash signature of the valid package archive so
other people with more bandwidth can upload it) to help the package
building cluster (at least for mainstream architectures). The idea behind
it being that the port maintainer has to compile the port anyway and pkg
create is not a big overhead. The result would be a sort of distributed
package building solution.

Regards,
-- 
Nino