Quarterly and security fixes

[einsibjani]

I'm sure this has been asked and answered in other threads, but I'm still unsure of what is best for my scenario. I manage multiple FreeBSD servers and security is a big concern. Recently we started migrating servers from our own Poudriere server and to the default repo. After running a few of our servers on the quarterly repo we are seeing packages with vulnerabilities that are not getting security fixes backported (postgresql10-server, openjpeg) and other ports where security fixes took a long time coming (curl). I'm sure I could create a PR for these ports and possibly speed up the process, but I'm asking myself whether I'm better off on latest and dealing with breakages, rather than waiting for security fixes and working around them not coming?

I'm interested to hear what you are doing and why.

 

[SirDice]

I would switch back to Poudriere actually. That way you can keep track of the latest ports but it's left up to you when and how you 'snapshot' it. So you could basically create your own quarterly type repository. Or a monthly, or weekly.

 

[leebrown66]

+1 what SirDice said.
You can patch things yourself; keep the last X repos so you can rollback and forward; update overnight; have different repos for different option sets.

For example I have one repo for servers with conservative options without office, browser applications, while my workstation repo has all the office stuff, browsers, lots of options tuned.