Re: [EXTERNAL] Re: Will OpenSSL 1.1l be back ported to 2021Q2?

[nia <nia%NetBSD.org@localhost>]

On Tue, Sep 07, 2021 at 06:24:09PM -0400, Greg Troxel wrote:
> > I have to admit that I agree with the general sentiments stated
> > below. I understnad that a package like Openssl affects a large number
> > of other packages, and thus warrants a reasonable amount of testing to
> > avoid adverse impact. That is, impact beyond that due to the
> > vlunerability itself. I also understand that as we approach the end of
> > a given releases lifecycle, attention is focused on preparing and
> > testing the upcoming release.
> 
> NetBSD proper has hired a release engineer.  With funding, TNF could
> probably hire someone to do this sort of work for pkgsrc.

I don't think lack of release engineers is the problem here,
pkgsrc developers use current. They kinda have to. So they're
uninterested in requesting pullups to stable and it simply
doesn't happen.

Lately I've seen a handful of security-critical updates where
the committer never makes a pullup request, so I've been doing
it myself if I think the update is important.

It doesn't help that pkgsrc openssl is mostly a Linux and
older-NetBSD-releases thing (I think most illumos users are
using the current branch too).