Re: ports security branch

On Tuesday 20 December 2005 11:18, rihad wrote:
> Yann Golanski wrote:
> > Quoth rihad on Tue, Dec 20, 2005 at 10:25:59 +0400
> >
> >>Is there a security branch for the FreeBSD ports collection? Let's say,
> >>I installed FreeBSD 6.0 together with all needed -RELEASE ports/packages
> >>(i.e., those on the CD). Running security/portaudit after a while
> >>reveals that some of the installed packages have vulnerabilities. Am I
> >>on my own to go grab the fresh ports tree, and upgrade the affected
> >>software, suffering all the intricacies of the move by myself? Debian
> >>GNU/Linux has its security package updates, OpenBSD has a separately
> >>maintained "errata" ports branch (it's very likely you still get to
> >>download a newer release of the software, though).
> >
> > Attached is a script I use to update my machines. It works fine but
> > you need to understand what it does and not run it blindly. DO NOT put
> > that in cron, there lies pain!
> >
> > Otherwise, just run the script and it will update all your ports for
> > you. It'll even mail you with the updated ports.
> [script snipped]
> A very interesting script for its own purpose, but I'm afraid this
> doesn't answer my question at all.

FreeBSD accepts limited responsibility for what is in /usr/ports. Maintaining
security is not one of them.

> Perhaps seeing the way that e.g.
> Debian deals with the upgrade problem might shed some light on the
> issue. Hell, FreeBSD does exactly that for the base world+kernel, too!
> Not for the ports, though.

See above. Instead of focusing on the method, focus on the end-goal: you want
security updates on your ports and the script posted attempts to provide
I had one that was safe to run in cron (in fact it ran in periodic/daily), but
uses a cvs tree of ports, not cvsup to save time[1]. I lost it with a disk
crash, but was going to recreate it anyway, might as well do it now if people
are interested.

[1] cvsup allthough faster on the entire tree cannot update a single
Melvyn Sopacua

Qt: 3.3.5
KDE: 3.4.3
freebsd-stable@xxxxxxxxxxx mailing list
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@xxxxxxxxxxx"