nia <nia%NetBSD.org@localhost> writes: > On Tue, Sep 07, 2021 at 06:24:09PM -0400, Greg Troxel wrote: >> >> NetBSD proper has hired a release engineer. With funding, TNF could >> probably hire someone to do this sort of work for pkgsrc. > > I don't think lack of release engineers is the problem here, > pkgsrc developers use current. They kinda have to. So they're > uninterested in requesting pullups to stable and it simply > doesn't happen. That's what I meant. Personally, I don't use openssl from pkgsrc stable. So not only am I not interested in maintaining it, but I can't really test, without setting up a bunch of environments that I have no reason to set up. Probably release engineer is the wrong word, but I meant something like paying someone to prepare and test pullups that addressed security isseus in pkgsrc-stable. > Lately I've seen a handful of security-critical updates where > the committer never makes a pullup request, so I've been doing > it myself if I think the update is important. Thanks. I have been often trying to do this, if I think it matters and I am able to convince myself that the update will not be destabilizing, for updates I make. Part of the issue is that there are a vast number of CVEs and it's hard to tell how to prioritize. > It doesn't help that pkgsrc openssl is mostly a Linux and > older-NetBSD-releases thing (I think most illumos users are > using the current branch too). And mac, but the mac packages from joyent are -current too (which seems like it is working fine, not a complaint).
Attachment:
signature.asc
Description: PGP signature