Quarterly packages and security updates...

[Mason Loring Bliss]

On Thu, Aug 13, 2015 at 08:40:23PM +0000, Glen Barber wrote:

> [info@ removed, not sure why that email address was included.]

I'm hoping for pressure from above, as this is an important step that's
evidently being taken without quarterly branch security being bumped up in
priority. It seems to come as a surprise to many folks, and certainly I
wasn't aware of it until last week. (Also, board@ is now deprecated.)

I think the change to a default quarterly branch a fantastic idea, but
without additional security updates it's got an ugly element of risk
associated with it, too. It will be the default, so as it stands, more folks
will be running vulnerable software.


> The reason this change was made is because the quarterly package set
> receives less intrusive updates, but it does still receive security
> updates.

I included the "pkg audit" output explicitly to demonstrate that there are
some gaping holes that will be deployed starting next week.


> This is documented in the 10.2-RELEASE release notes, which also shows
> how to change back to the 'latest' branch, if you so desire.

As noted, I'm already on the quarterly branches, because I think it's a great
idea generally. Falling back to the high-churn option to get access to
security patches when what you want is a stable environment is an awful idea.

I'm hoping that we do this, but do it right. I can't see how anyone could
find fault with my expressing this concern, honestly.

-- 
Mason Loring Bliss  ((   If I have not seen as far as others, it is because
 mason at blisses.org   ))   giants were standing on my shoulders. - Hal Abelson