* On 2021-09-02 at 00:47 BST, Greg Troxel wrote:
"Morgan, Iain (ARC-TN)[InuTeq, LLC]" <iain.morgan%nasa.gov@localhost> writes:Although OpenSSL 1.1l appears in pkgsrc HEAD, it doesn't look like it has been backported to the 2021Q2 release. Since this update addresses a security issue which is identified as High by the OpenSSL developers, please backport it to the current release.Perhaps TNF should offer support contracts for this sort of thing, but they'd probaly have to be priced high enough to hire 0.5 FTE. Even if there were no guarantees, phrasing it that way might make it easier for entities like NASA to provide funding. I find it really unfortunate how donating to open source code that's being used seems much harder in a corporate environment than paying for proprietary software licenses.
An available option are the pkgsrc Q4 branches that I maintain as LTS releases for 3 years for my SmartOS users. Obviously over time the older branches get fewer updates as it gets progressively more difficult to backport and test changes, but if you don't mind branches older than the most recent quarterly then these may be suitable:
https://github.com/joyent/pkgsrc/tree/joyent/feature/backports/2020Q4 https://github.com/joyent/pkgsrc/tree/joyent/feature/backports/2019Q4 https://github.com/joyent/pkgsrc/tree/joyent/feature/backports/2018Q4Otherwise for quite a few years now I've simply been recommending that users follow trunk, as you always get all of the latest security fixes and stable releases. If you're building packages yourself then you'll need some buffer between building and deploying to ensure that everything you need is still working, but for my binary package users this has worked very well (modulo the recent haproxy -fwrapv screwup).
-- Jonathan Perkin - Joyent, Inc. - www.joyent.com