Subject: Re: The pkgsrc-2006Q1 branch
To: None <pkgsrc-users@NetBSD.org>
From: None <joerg@britannica.bec.de>
List: pkgsrc-users
Date: 04/02/2006 16:36:54
On Fri, Mar 31, 2006 at 02:11:11PM -0500, Anne Bennett wrote:
> (a) When audit-packages tells me that an installed package has a
> vulnerability, what actions do you recommend that I perform
> in reaction to that report? (Each package's web page states "If
> you have a vulnerable package installed on any machine, you are
> advised to remove the package immediately" - which is not
> terrifically helpful in practice!)
Check if there is an update. For the branch, security fixes are normally
pulled up immediate or after a short time for testing. If no update
exists, you are kind of screwed. Evaluate whether you really need the
package at the moment and how bad a comprise would be. As member of the
pkgsrc security team I can promise you, that we do our best to provide
security fixes if possible. Sometimes it isn't or too much work. It
can help to ask the vendor of a specific program for a security fix, but
we also have a number of unfixed, long standing issues. Not really our
fault in some cases. :-)
> (b) When I want to upgrade a particular package (for example because
> I need its new functionality), how do you recommend that I do
> this, bearing in mind that I have a lot of other software
> installed and in use on the system?
You can try to cherry pick changes from pkgsrc current, but for !leaf
packages it can be quite a lot of work and risky. The situation is
similiar to Debian: either use a stable version or the current tree, but
mixing is problematic.
Joerg