I was hoping for a scheme involving binary patches. Remember, I'm trying 
to sell a RedHat up2date user on NetBSD.

He's probably not ready to hear, "you need to maintain a source 
repository for the netbsd-1.6 branch." I worry it may scare him off.

Would it not be reasonably simple (or at least a good idea) to post a 
binary patch associated with each Security Advisory? Or cumulative 
patches to fix several?

Then we can have a tool similar to pkg-audit which will check for 
patches periodically, optionally updating the system.

A tool like this would certainly make NetBSD more attractive to the 
Systems Administrator who doesn't have time for, or care about building 
from source.

I'd be happy to help work on this too if anyone's interested. Thanks

Louis



>>What is the expected maintenance scheme for a NetBSD release in a
>>production environment?
> 
> 
> Please correct me if I didn't understand you correctly. But the normal
> ways of maintaining NetBSD releases are:
> 
> * Following the netbsd-1-6 branch (with the -rnetbsd-1-6 CVS parameter),
> just like you can follow current. The netbsd-1-6 branch includes security
> updates and important fixes.
> * Apply the patches as explained in the security updates.
> 
> Tracking netbsd-1-6 is a bit more ideal, because it includes other fixes.
> For packages you can use the normat approach (e.g. using
> download-vurnerability-list and audit-packages).
> 
> With kind regards,
> Daniel de Kok
>