Re: pkgsrc-2014Q4 binary packages for illumos now available

["J. Lewis Muir" <jlmuir%imca-cat.org@localhost>]

On 3/11/15 10:57 AM, Jonathan Perkin wrote:
> It's a lot later than I'd planned, but I'm pleased to finally announce
> the pkgsrc-2014Q4 binary package sets for illumos are now available.

Hi, Jonathan.

Thanks for all your work related to pkgsrc!

> This release sees some important changes:
>
>   * This is our first Long Term Support (LTS) release.  We will
>     support this branch for 3 years, backporting any suitable fixes as
>     required.  Users who wish to make use of our backports may follow
>     the joyent/feature/backports/2014Q4 branch in our pkgsrc tree, and
>     we welcome pull requests to assist us in this endeavour.

This is *very* interesting to me.  What I've been doing up until now
is tracking the latest quarterly branch (e.g. pkgsrc-2014Q4).  The big
problem I have is that invariably after switching to the new quarterly
branch, almost immediately packages like curl, ffmpeg2, python27, and
python34 start getting reported by "pkg_admin audit" as having security
vulnerabilities.  This usually remains this way until I switch to the
next quarterly branch, and then the same problem repeats.

As a user wanting to keep my machine secure, a basic first line of
defense is to always apply available software security updates.  This
is kind of like "inbox zero" for "pkg_admin audit".  Unfortunately,
this approach breaks down horribly with pkgsrc because there are often
never any fixes within the quarter for the list of vulnerable packages
reported by "pkg_admin audit".  Please note that I'm not trying to rail
on the pkgsrc developers.  I understand that often upstream does not
provide security fixes in a clean and timely manner.  I also understand
that with as many packages as are in pkgsrc, it would require a lot of
effort to actually update all packages so that they don't have known
security vulnerabilities.  But at the same time, I'm trying to figure
out a good strategy for keeping my machine secure.

How can Ubuntu provide security updates to all LTS packages?  Is it
because they pay many employees to do all that work?  Is it because they
limit the number of packages in the "main" category (the category of
packages that they fully support)?  Is it that in reality there are lots
of vulnerable packages installed on my Ubuntu LTS system, but because
there is no "pkg_admin audit" I just don't know about them, and I get a
warm fuzzy feeling when I check for security updates and it says none
are available?  My guess is that the answer is "all of the above," but
I'd love to hear whether you or others think this is correct!

So, are you saying that Joyent is going to provide security updates
to all packages in the joyent/feature/backports/2014Q4 branch
for 3 years?  This would be very impressive!  And to be clear,
you're happy with people who are not Joyent customers tracking the
joyent/feature/backports/2014Q4 branch, right?

Thank you!

Lewis