Packages and security issues

[germanopratin]

I really would like to switch to FreeBSD, but there's one issue that has been bugging me for ages, and has always made me falling back to good old Slackware:

Whenever I install xorg and a desktop environment (gnome/kde/xfce) with pkg_add -r, portaudit tells me that xorg and gnome have tainted my system with 10-12 packages having security problems. This has always been the case, starting from FreeBSD 8.0 up to the recent 9.0.

This is something I just don't get with FreeBSD: why do they provide packages in the official repo, which have known security problems?

Since I never managed to build e.g. gnome from the ports collection, I would like to know:

1. Is it a serious security concern - having portaudit say, that e.g. xorg has exploitable packages?
2. How do others handle that issue?
3. Is there a way to deal with pgk_add -r xorg gnome - and avoiding security problems? Or lies the only solution with a make install clean approach?

I would be very grateful for serious help!

 

[SirDice]

Set your PACKAGESITE to a -stable package tree. The -release packages are created when the release is made and are NEVER updated.

 

[germanopratin]

Thank you very much for that quick reply! Obviously, I misunderstood what -STABLE means, thinking it only comprises kernel and userland. Great! I hope that will do it.

 

[SirDice]

There's a difference between a -STABLE base and -stable packages. They have nothing to do with eachother.

 

[kpa]

The -stable packages are compiled on a machine running -STABLE version of FreeBSD, that's what the name of the directory refers to. Compiling the packages on -STABLE also serves as a test for ABI stability (which is what STABLE really means in this context) so that the changes to -STABLE haven't broken the binary compatibility with the earlier -RELEASE versions in the same major version line.