tech-security: Re: unix worm via ssh1

Subject: Re: unix worm via ssh1
To: None <tech-security@netbsd.org>
From: Jeremy C. Reed <reed@reedmedia.net>
List: tech-security
Date: 11/17/2001 20:29:48

On Sat, 17 Nov 2001, Manuel Bouyer wrote:

> We have openssl-0.9.5a on the ftp server. If we remplace openssl-0.9.5a with
> openssl-0.9.6, all 1.4.2 packages build against openssl-0.9.5a needs to be
> rebuild against 0.9.6, which may show other dependancies too ...

It seems like another good reason to offer two separate pkgsrc
collections: one for current and continuing development and the other to
just track the important bug and security fixes for the stable release.[1]

And I can forget about old 1.4.x, because I should upgrade anyways :)

> The problem of updating binary packages for security fixes have been
> discussed at last one time on tech-pkg. No good solutions have been
> found yet.

I'll search for it, so I can look at the ideas.

   Jeremy C. Reed
   http://www.reedmedia.net/

[1] By the way, FreeBSD provides separate packages collections, such as
packages-3-stable, packages-4-stable, and packages-5-current. And a stable
ports branch and stable updated packages are available for OpenBSD for
important updates; the updated packages have their names changed so they
won't possibly conflict.