On 29.01.2018 20:01, maya%netbsd.org@localhost wrote: > I think we should have a discussion to change the way netbsd releases > and security advisories are done. they seem to be suitable for a large > company, and netbsd is doesn't keep up with it. > Personally, I would find it reasonable to abandon minor releases and release often patch releases. A critical patch could be described as: upgrade to 8.57, as in 8.56 and earlier versions there is a vulnerability. We could reuse to the current CHANGES-* format as the only SA. Another point is to set a rule that ABI is stable between patch versions and binary packages (prebuilt software) still works as-is. I'm observing now users who abandon researching this OS just because a patch version of kerberos is not compatible with existing packages. A member of the security team told me that writing an advisory can take a dozen of hours.
Attachment:
signature.asc
Description: OpenPGP digital signature