Not to take away from what Joyent is proposing to do -- LTS support beyond a quarter is a ton of work -- but pkgsrc stable branches do receive security fixes during the quarter. If you find a package with a problem (in pkg-vulnerabilities or not) and can figure out how to fix it, please send that to pkgsrc-users. Often doing the security patches is a fair bit of work to figure out, depending on how the upstream behaves. If they have clear advisories and per-SA patches, then it's fairly easy. If you have to figure it all out, it can be pretty hard (and then not happen).
Description: PGP signature