Re: pkgsrc-2014Q4 binary packages for illumos now available

[Jonathan Perkin <jperkin%joyent.com@localhost>]

* On 2015-03-11 at 17:27 GMT, J. Lewis Muir wrote:

> How can Ubuntu provide security updates to all LTS packages?  Is it
> because they pay many employees to do all that work?  Is it because they
> limit the number of packages in the "main" category (the category of
> packages that they fully support)?  Is it that in reality there are lots
> of vulnerable packages installed on my Ubuntu LTS system, but because
> there is no "pkg_admin audit" I just don't know about them, and I get a
> warm fuzzy feeling when I check for security updates and it says none
> are available?  My guess is that the answer is "all of the above," but
> I'd love to hear whether you or others think this is correct!

I'd agree with "all of the above", plus the fact they leverage the
huge Debian community.  We can't compete with that, but do a hell of a
lot given our resources.

> So, are you saying that Joyent is going to provide security updates
> to all packages in the joyent/feature/backports/2014Q4 branch
> for 3 years?  This would be very impressive!

It is still on a best-efforts basis, and updates will only be applied
if they do not break the API/ABI, but the main point of having an
official LTS is that previously we tried to do the same but for all
our previous binary releases.  That clearly doesn't scale, so now
we're only doing it for specific branches, which will hopefully free
up more time for us to do a better job.

> And to be clear, you're happy with people who are not Joyent
> customers tracking the joyent/feature/backports/2014Q4 branch,
> right?

Of course, it's open source.  Not only that, we'd welcome other folks
to pitch in and help out with backports, and will happily accept pull
requests to that branch.

Thanks,

-- 
Jonathan Perkin  -  Joyent, Inc.  -  www.joyent.com