On Mon, 11 Apr 2005 09:23:35 -0400, "Jan Schaumann"
<jschauma@netmeister.org> said:
> Martijn van Buul <martijnb@atlas.ipv6.stack.nl> wrote:
>  
> > AFAIK yes, with the added remark that packages might get removed in case
> > of security issues. (If package foo was at version 1.2 when 2005Q1 was
> > branched, and when it was later discovered that foo-1.2 has a security
> > leak (fixed in foo-1.2nb3 in HEAD), foo-1.2.tar.gz gets deleted, but no
> > foo-1.2nb3 will be generated for 2005Q1. At least, that's my understanding of
> > it all.)
> 
> Ideally, it'll work like this:
> 
> If there is a security issue in foo-1.2, and it has been fixed in
> pkgsrc-HEAD, then usually a pullup-request is made, and the fix included
> in the latest supported pkgsrc branch.  Subsequently, binary packages
> are built and uploaded to replace the ones that were deleted.
> 
> This process may take a while and involves the due diligence of (a) the
> person fixing the security hole (to make the pullup request), (b) the
> pkgsrc releng team (to pullup the request), and (c) the bulk-builders
> (to produce new binary packages).
> 
> -Jan

so say foo-12 had a security hole, a pullup request is made, and the
releng team builds/uploads a replacement. is there a mailing list or
something to notify us when that happens, and is there a need to
synchronize our pkgsrc (w/ cvsup, etc?). 
Tom
-- 
  
  eyefull@eml.cc