Subject: Re: system updates
To: NetBSD/i386 Discussion List <>
From: Martti Kuparinen <>
List: netbsd-users
Date: 08/16/2001 11:20:30
On Wed, 15 Aug 2001, Greg A. Woods wrote:

> For NetBSD you should be able to "sup" or "cvs update" the ``stable''
> branch just as easily and then do regular builds.  NetBSD's "make

But if one wants to have the offical release + all security fixes
without "untested" features from the "stable" (e.g. netbsd-1-5) branch?
Ever followed FreeBSD -STABLE and saw things break on production
systems? I have and I don't want to see that again. The FreeBSD's RELENG_4_3
branch is just what I needed.

What I'd like to see in NetBSD is something like this:

==+================= current
  +======+===== netbsd-1-5
    ^    |
    |    +===== netbsd-1-5-2
    |     ^
    |     |
    |     netbsd-1-5-PATCH002

So every release (e.g. the forthcoming 1.5.2) will be a BRANCH, not
a normal tag, and this branch would include all the security fixes.
Syncing againts this tag would get only the security fixes, nothing more.

    # cvs -q update -r netbsd-1-5-PATHC002 -dP      # 1.5.2
    # cvs -q update -r netbsd-1-5-2 -dP             # 1.5.2 + security fixes

When a release (major or patch release) is released :-) the branch and
the release tag point to identical set of files. Later, when service
foo is fixed for some attack, the fix is also pulled into the
netbsd-1-5-2 branch. The security advisory then advises people to fetch the
latest sources for the netbsd-1-5-2 branch  or patch the sources manually
as before.

Does this make any sense?


Martti Kuparinen <>