Re: Bulk packages and security updates

[Greg Troxel <gdt%lexort.com@localhost>]

John Klos <john%klos.com@localhost> writes:

>> There is no plan for 'binary packages'.  The plan is
>>
>>  commit an update to pkgsrc head that fixes the CVE
>>
>>  if that's a security patch, or really really a micro that's ok to pull
>>  up, submit a pullup.  Or extract the fix and add that as a patch and
>>  submit that patch as a pullup
>>
>>  wait for bulk builds to rerun and have the new version
>>
>> We do this all the time.  Not saying everytime there is a CVE, but it
>> happens a lot.
>
> Apologies. I didn't mean to give the impression I was talking about
> pre-pullup - I was wondering about what actions are taken when a
> pullup is made.

Sorry, I didn't follow that...

> In that case, it seems no action is taken (for fast platforms), and we
> just wait for the next round of binary packages to be built and
> uploaded.

The releng team changes the sources on the branch.

bulk builders rerun bulk builds somehow, widely varying.

That's it as far as I know.

> I suppose if there's ever a super critical vulnerability that could
> dramatically affect people, we can talk about any other actions then.

The only action that makes sense is for someone to make sure that the
package in question is rebuilt right away for any platform that has
built the previous version.

However, I think it's never ok to go deleting things because someone
things the vuln is super scary and that therefore they are deciding on
behalf of others than non-functional is better.  That would be like
audit-packages removing packages from people's machines, if they have a
vulnerability entry.