"J. Lewis Muir" <jlmuir%imca-cat.org@localhost> writes: > I'm wondering if I'm managing my installed pkgsrc packages with security > vulnerabilities in the best way. I updated my current-branch, ran > "pkg_admin fetch-pkg-vulnerabilities", and ran "pkg_admin audit". I > upgraded the packages reported to contain vulnerabilities. I then ran > "pkg_admin audit" again and got the following output: That's basically the right approach, with the nit that updating random packages along current pkgsrc without updating all of them may not work. > So, the latest packages from the current-branch still have > vulnerabilities: Yes, that's how it usually is. It's harder to fix things than to record the reports, or at least it does not in fact happen as fast. > * multimedia/ffmpeg2: It looks like the latest FFmpeg stable 2.0 release > is 2.0.2, which is what pkgsrc builds. So, it would seem there's > nothing to be done in pkgsrc until the FFmpeg project makes a new > release. Often upstream has an advisory and patch and the patch is added. > As a user, I just want to ensure all installed packages are free from > known security vulnerabilities. "pkg_admin audit" tells me when I don't > have this, but I don't know of good steps for what to do next. I You could figure out what patch is needed and apply it locally, and then send a patch that adds that patch (and bumps PKGREVISION) to the list. > Is this what most people are doing, or is there a better way? The alternaive is to track the stable branch, which gets security fixes but not other chagnes. But really keeping up with vulnerability announcements is just hard.
Description: PGP signature