Bulk packages and security updates

To: tech-pkg%netbsd.org@localhost
Subject: Bulk packages and security updates
From: John Klos <john%klos.com@localhost>
Date: Tue, 8 Jul 2025 18:14:44 +0000 (UTC)

Hi,

CVE-2025-48384

What's the concensus for doing small updates for, for example, securityupdates? For instance:


-rw-r--r--  1 pkgmastr  netbsd  1278576 Jun 11 01:03 amd64/10.0_2025Q2/All/sudo-1.9.16p2nb2.tgz
-rw-r--r--  1 pkgmastr  netbsd  1248744 Jun  8 16:21 i386/10.0_2025Q2/All/sudo-1.9.16p2nb2.tgz
-rw-r--r--  1 pkgmastr  netbsd  1278576 Jun 11 01:03 x86_64/10.0_2025Q2/All/sudo-1.9.16p2nb2.tgz

pkgsrc-2025Q2 was updated to have sudo-1.9.17p1, and I'm wondering whatpeople do about updates like this. Do you just rerun bulk builds everyweek or two? Do we update packages like these manually?

Should we do something automatically? Should the packages be removed, orat least made unavailable, when there's a security update?

Related to this, git has a new CVE (CVE-2025-48384) that affects gitclients. Is there a policy or guidelines, or at least a concensus, abouthow to handle binary packages that have security issues for well used (orat least very soon to be well used) software?


John

Follow-Ups:
- Re: Bulk packages and security updates
  - From: Greg Troxel

Prev by Date: Re: CVS commit: src/sys/net/npf
Next by Date: Re: Bulk packages and security updates
Previous by Thread: Re: CVS commit: src/sys/net/npf
Next by Thread: Re: Bulk packages and security updates
Indexes:

Home | Main Index | Thread Index | Old Index