Hi Everyone,

A great thing happened where a colleague of mine, upset with Redhat, 
decided to look at NetBSD.

The one thing that's making him hesitate now is "How do you update a 
part of the base distribution if there was, say, a security advisory on 
that item?" He wants to see an up2date-like tool.

I'm accustomed to using -current, where I build regularly and that would 
typically take care of issues like this. And then there's pkg_audit for 
the packages.

Let's paint a hypothetical scenario...

. Take a cleanly installed 1.6.1 system with no packages.
. Subsequently, security advisories for several packages come out.
. Patches are now made to -current and successfully tested for these fixes.

Is the official NetBSD-1.6.1 distribution now going to be patched or do 
we have to wait for the next release before we can have a secure 
distribution?

Let's assume the former is true and the sets for 1.6.1 are updated with 
the fixes.

Are we expected to retrieve the latest sets and essentially upgrade 
1.6.1 to 1.6.1(patched)?

What is the expected maintenance scheme for a NetBSD release in a 
production environment?

Any help would be fantastic,
Thanks

Louis