On Fri, 17 Aug 2007 15:52:50 -0500 (CDT)
"Jeremy C. Reed" <reed@reedmedia.net> wrote:

> On Fri, 17 Aug 2007, Steven M. Bellovin wrote:
> 
> > There is one major potential headache: security advisories.
> > Changes to the base system -- including xsrc -- are pretty local in
> > scope. Changes to a package can often mean recompiling a lot of
> > indirect dependencies, including such monsters as qt3.  Judicious
> > use of 'make replace' can help, but that's a dangerous command if
> > you don't know what you're doing.
> 
> The pkgsrc team should be providing ready-to-use binary packages for
> all security updates. So pkg_add -u should work for a quick update.

For all of the different versions people might have?  I hope so, but
that wasn't my impression.

I picked a random package that I knew had had a recent security problem
-- qt3-libs -- and went to its web page
(ftp://ftp.netbsd.org/pub/pkgsrc/current/pkgsrc/x11/qt3-libs/README.html).
(qt3 isn't part of xorg, but it underlies kde, among other things you
don't want to rebuild unnecessarily.)  i386 was the only platform that
had up-to-date binaries.

xorg-server -- part of modular xorg -- has no binaries.  Ditto
xorg-libs, xorg-clients, and xorg-imake.  Note that all of these have
had security advisories.  I'm sure these are all coming, but they're not
there now. I'm less than convinced that there will be current binaries
for platforms other than i386, even when security holes are found.  

Perhaps the quarterly branches are better in that regard; I haven't
checked.  In the past, though, they've lagged pretty far behind HEAD
when it came to security fixes, which is why I moved away from them.
I'm not blaming anyone -- often, the fix to some package isn't just a
diff, it's "update to .N+1" because that's the way the developer did
things, so pkgsrc has little choice but to follow and not just bump
PKGREVISION.

 

		--Steve Bellovin, http://www.cs.columbia.edu/~smb