How do I know if my 13-stable has security patches?
Karl Denninger
karl at denninger.net
Thu Feb 25 13:37:06 UTC 2021
On 2/25/2021 04:30, Olivier Certner wrote:
>> Neither command is what I'd call 'intuitive', so it would have taken me a
>> long time to find either of them. I cut and pasted the 'git branch' command
>> and it took me a moment to realize what that meant. Never ran "grep -l" on
>> a pipe, I guess.
> You made me laugh! Apart from relatively simple commands, git's interface is
> far from intuitive. That's the reason why I regret that it became the hugely
> dominant DVCS.
Regression doesn't have to come to a project, but if the tools you
choose do things like this then you have to work around them as a
project to avoid the issue, and that might wind up being somewhat of a PITA.
This specific issue is IMHO quite severe in terms of operational
impact. I track -STABLE but don't load "new things" all the time. For
security-related things it's more important to know if I've got
something out there in a specific instance where it may apply (and not
care in others where it doesn't; aka the recent Xen thing if you're not
using Xen.) Otherwise if everything is running as it should do I wish
to risk introducing bugs along with improvements? If not in a
security-related context, frequently not.
Well, this used to be easy. Is your "uname" r-number HIGHER than the
"when fixed" revision? You're good. Now, nope. Now I have to go dig
source to know because there is no longer a "revision number" that
monotonically increments with each commit so there is no longer a way to
have a "point in time" view of the source, as-committed, for a given
checked-out version.
IMHO that's a fairly serious regression for the person responsible for
keeping security-related things up to date and something the project
should find a way to fix before rolling the next -RELEASE. (Yeah, I know
that's almost-certain to not happen but it's not like this issue wasn't
known since moving things over to git.)
--
Karl Denninger
karl at denninger.net <mailto:karl at denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4897 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20210225/6f751ef0/attachment.bin>
More information about the freebsd-stable
mailing list