tech-pkg archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Bulk packages and security updates
Hi,
CVE-2025-48384
What's the concensus for doing small updates for, for example, security
updates? For instance:
-rw-r--r-- 1 pkgmastr netbsd 1278576 Jun 11 01:03 amd64/10.0_2025Q2/All/sudo-1.9.16p2nb2.tgz
-rw-r--r-- 1 pkgmastr netbsd 1248744 Jun 8 16:21 i386/10.0_2025Q2/All/sudo-1.9.16p2nb2.tgz
-rw-r--r-- 1 pkgmastr netbsd 1278576 Jun 11 01:03 x86_64/10.0_2025Q2/All/sudo-1.9.16p2nb2.tgz
pkgsrc-2025Q2 was updated to have sudo-1.9.17p1, and I'm wondering what
people do about updates like this. Do you just rerun bulk builds every
week or two? Do we update packages like these manually?
Should we do something automatically? Should the packages be removed, or
at least made unavailable, when there's a security update?
Related to this, git has a new CVE (CVE-2025-48384) that affects git
clients. Is there a policy or guidelines, or at least a concensus, about
how to handle binary packages that have security issues for well used (or
at least very soon to be well used) software?
John
Home |
Main Index |
Thread Index |
Old Index