tech-pkg: Re: keeping pkgsrc up-to-date

Subject: Re: keeping pkgsrc up-to-date
To: Marton Fabo <morton@eik.bme.hu>
From: Greg A. Woods <woods@weird.com>
List: tech-pkg
Date: 07/02/2002 15:57:01
[ On Tuesday, July 2, 2002 at 21:10:38 (+0200), Marton Fabo wrote: ]
> Subject: Re: keeping pkgsrc up-to-date
>
> Actually, my problem is with the current system's usability in certain 
> circumstances, for example with slow/unreliable connetcivity, which I 
> happen to have. Anyway, the _real_ problem is that any of the three 
> mentioned methods (tarball, cvs, sup) are hardly optimized... Why don't 
> optimize, if optimization _can_ be made?

There are "optimizations" that you've not been considering up until now,
particularly rsync and CVSup.

CTM, as program, does exist too, in a highly usable form, and its
services could be provided by anyone with a mirror copy of the CVS
repository.  I seem to remember discussion in the past about setting it
up for NetBSD, but then again I seem to remember discussions in FreeBSD
circles about discontinuing it because it's not often used.  :-)

> As someone mentioned, it is only weekly updated. Not the best option in 
> case of a OpenSSH remote-root SA... (: And anyway, with clever solution, 
> the problem could be solved with much less load. Why to settle with the 
> imperfect hacks currently available?

Then I think you have a very fundamental problem with your entire
process of using pkgsrc in the first place.  IMNSHO (and not speaking
for TNF) I believe anyone relying on pkgsrc for security updates, and
who cannot or will not make their own local updates to the desired
critical modules themselves, is only going to get into deeper trouble.

Pkgsrc, at least as supplied by directly by NetBSD, is about as far from
being an ideal means for getting time-critical updates as there could
possibly be.  Pkgsrc is only a convenient way to install tons of
software that you want to use, but not learn the internals and build
procedures of, and to that extent it's probably best if end users only
use "snapshots" of pkgsrc, not try to follow the bleeding edge of
pkgsrc-current.

I do use pkgsrc to upgrade production systems when security fixes are
necessary, but for example with the BIND upgrade last week I didn't wait
for my repository mirror to update with rsync -- I didn't even wait for
the updates to appear on the anonymous CVS server or on the web
interface.  I just went in and updated the net/bind8 module myself.  :-)
(Now in this case I'd have had to have done some of that work regardless
since I maintain some local patches for BIND and I'd have had to
regenerate them anyway.)

-- 
								Greg A. Woods

+1 416 218-0098;            <g.a.woods@ieee.org>;           <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>