tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Bulk packages and security updates



Hi,

CVE-2025-48384

What's the concensus for doing small updates for, for example, security updates? For instance:

-rw-r--r--  1 pkgmastr  netbsd  1278576 Jun 11 01:03 amd64/10.0_2025Q2/All/sudo-1.9.16p2nb2.tgz
-rw-r--r--  1 pkgmastr  netbsd  1248744 Jun  8 16:21 i386/10.0_2025Q2/All/sudo-1.9.16p2nb2.tgz
-rw-r--r--  1 pkgmastr  netbsd  1278576 Jun 11 01:03 x86_64/10.0_2025Q2/All/sudo-1.9.16p2nb2.tgz

pkgsrc-2025Q2 was updated to have sudo-1.9.17p1, and I'm wondering what people do about updates like this. Do you just rerun bulk builds every week or two? Do we update packages like these manually?

Should we do something automatically? Should the packages be removed, or at least made unavailable, when there's a security update?

Related to this, git has a new CVE (CVE-2025-48384) that affects git clients. Is there a policy or guidelines, or at least a concensus, about how to handle binary packages that have security issues for well used (or at least very soon to be well used) software?

John


Home | Main Index | Thread Index | Old Index