Subject: Re: updating vulnerable package in pkgsrc (gimp24)
To: Anne Bennett <firstname.lastname@example.org>
From: Greg Troxel <email@example.com>
Date: 07/28/2007 16:07:40
Anne Bennett <firstname.lastname@example.org> writes:
I have redirected this to pkgsrc-users.
> I wanted to install gimp24 from pkgsrc-2007Q2, but "make fetch"
> stopped me with an error explaining that the version I had (2.3.18)
> had a security vulnerability. The documentation at
> suggests that the latest version is 2.3.18nb1, not 2.3.18.
> I tried "cd /usr/pkgsrc; cvs -q update -dP", but it has not picked up
> any updates since a run earlier this morning. I was finally able to get
> an updated version of gimp24 by downloading the pkgsrc-current tarball.
That will update along the branch. A security update gnerally should be
and is pulled up to the branch, but that takes time.
> *Should* my "cvs" operation have picked up an updated version of gimp24,
> or am I going about this all wrong?
It will, but it will usually take longer.
> The release announcement said that "continuing engineering starts on
> the pkgsrc-2007Q2 release", and the tarball does seem to get updated
> weekly or so, so I had the impression that I should be able to pick up
> this update. Perhaps I just tried at the wrong moment, but gimp24 in
> pkgsrc-current seems to have been updated on July 5, so I wonder if
> someone missed porting that update back to 2007Q2.
> I don't have a deep understanding of what changes are or are not
> included in released software trees, so I apologize if I seem to be
> making unreasonable demands; such is not my intention.
No, you've asked a fair question.