Re: Bulk packages and security updates

To: John Klos <john%klos.com@localhost>
Subject: Re: Bulk packages and security updates
From: Greg Troxel <gdt%lexort.com@localhost>
Date: Tue, 08 Jul 2025 14:27:38 -0400

John Klos <john%klos.com@localhost> writes:

> CVE-2025-48384
>
> What's the concensus for doing small updates for, for example,
> security updates? For instance:
>
> -rw-r--r--  1 pkgmastr  netbsd  1278576 Jun 11 01:03 amd64/10.0_2025Q2/All/sudo-1.9.16p2nb2.tgz
> -rw-r--r--  1 pkgmastr  netbsd  1248744 Jun  8 16:21 i386/10.0_2025Q2/All/sudo-1.9.16p2nb2.tgz
> -rw-r--r--  1 pkgmastr  netbsd  1278576 Jun 11 01:03 x86_64/10.0_2025Q2/All/sudo-1.9.16p2nb2.tgz
>
> pkgsrc-2025Q2 was updated to have sudo-1.9.17p1, and I'm wondering
> what people do about updates like this. Do you just rerun bulk builds
> every week or two? Do we update packages like these manually?

Generally, pullups can happen, with either

  a patch for the security issue, and nothing else, or

  (less preferred) a micro update with the securiyt fix, other fixes,
  maybe new bugs, maybe ABI breaks.

> Should we do something automatically?

No.  The person who fixes it in pkgsrc-current, or any other developer,
should submit a pullup request.  pkgsrc releng is great at handling
them.

> Should the packages be removed, or at least made unavailable, when
> there's a security update?

No.  That is totally unreasonable.   It's great to have a new  package
with a higher version that's fixed, but removing packages is 1) nanny
state where somebody decides that any bug is TERRIBLE, when many users
may be better off with the package than not and 2) has cascading
failures with depending packages.

> Related to this, git has a new CVE (CVE-2025-48384) that affects git
> clients. Is there a policy or guidelines, or at least a concensus,
> about how to handle binary packages that have security issues for well
> used (or at least very soon to be well used) software?

There is no plan for 'binary packages'.  The plan is

  commit an update to pkgsrc head that fixes the CVE

  if that's a security patch, or really really a micro that's ok to pull
  up, submit a pullup.  Or extract the fix and add that as a patch and
  submit that patch as a pullup

  wait for bulk builds to rerun and have the new version

We do this all the time.  Not saying everytime there is a CVE, but it
happens a lot.

Follow-Ups:
- Re: Bulk packages and security updates
  - From: John Klos

References:
- Bulk packages and security updates
  - From: John Klos

Prev by Date: Bulk packages and security updates
Next by Date: Re: Bulk packages and security updates
Previous by Thread: Bulk packages and security updates
Next by Thread: Re: Bulk packages and security updates
Indexes:

Home | Main Index | Thread Index | Old Index