pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Managing vulnerable installed packages

"J. Lewis Muir" <> writes:

> I'm wondering if I'm managing my installed pkgsrc packages with security
> vulnerabilities in the best way.  I updated my current-branch, ran
> "pkg_admin fetch-pkg-vulnerabilities", and ran "pkg_admin audit".  I
> upgraded the packages reported to contain vulnerabilities.  I then ran
> "pkg_admin audit" again and got the following output:

That's basically the right approach, with the nit that updating random
packages along current pkgsrc without updating all of them may not work.

> So, the latest packages from the current-branch still have
> vulnerabilities:

Yes, that's how it usually is.  It's harder to fix things than to record
the reports, or at least it does not in fact happen as fast.

> * multimedia/ffmpeg2: It looks like the latest FFmpeg stable 2.0 release
>   is 2.0.2, which is what pkgsrc builds.  So, it would seem there's
>   nothing to be done in pkgsrc until the FFmpeg project makes a new
>   release.

Often upstream has an advisory and patch and the patch is added.

> As a user, I just want to ensure all installed packages are free from
> known security vulnerabilities. "pkg_admin audit" tells me when I don't
> have this, but I don't know of good steps for what to do next.  I

You could figure out what patch is needed and apply it locally, and then
send a patch that adds that patch (and bumps PKGREVISION) to the list.

> Is this what most people are doing, or is there a better way?

The alternaive is to track the stable branch, which gets security fixes
but not other chagnes.  But really keeping up with vulnerability
announcements is just hard.

Attachment: pgpE_c59TPAKY.pgp
Description: PGP signature

Home | Main Index | Thread Index | Old Index