In message <Pine.LNX.4.43.0505100916480.23048-100000@pilchuck.reedmedia.net>, "
Jeremy C. Reed" writes:
>On Tue, 10 May 2005, Martijn van Buul wrote:
>
>> It occurred to me that Kirk Strauser wrote in gmane.os.netbsd.general:
>> > if I install NetBSD 2.0.2, am I expected to track one particular branch (a
>s
>> > would be the case with OpenBSD), or is it OK to follow CVS head (like in
>> > FreeBSD)?
>>
>> You can track HEAD, or you can stick to a branch - whathever suits you best.
>>
>> Sticking to a branch means that you don't have to deal with constantly
>> updating packages and dependencies, and that you can benefit from having
>> binary packages, but it has some drawbacks in case of a security problem.
>
>I don't consider it a drawback. Security fixes are in the stable branch
>and in many cases the security fix is done so the update is easy as
>possible.

But they aren't always there.  For example, for a while -- a few weeks, I
think -- the head has had a fixed ImageMagick, 6.2.2.0.  But pkgsrc-2005Q1
has 6.2.0.4, which has a heap overflow.  I've seen other examples in 
the past.

		--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb