Why do i have to use latest packages vs quarterly in order to get security updates?

Hi,

there is a new version of Firefox 73, which fixes some serious bugs, released yesterday.


I wanted to update it but learned that the fixes didn't go to quarterly packages, so i had to change pkg to fetch the latest packages using the instructions here:

Why is this? I was under the impression that security updates go to quarterly as well?
 
From the looks of that page, it seems like they can build selectively and it only takes a couple hours. Not a particularly good explanation. Maybe a better question would be why hasn't it been patched into HEAD?
 
Ports are usually updated by submitting a bug report. If it’s a security issue, there is the option to request the fix is merged to the quarterly branch as well as head.

latest ports are built from ports head (might not actually be called that but I’m on phone and it’s too much of a pain to check). Either way latest should always be built from the most recently committed ports tree. This is why it isn’t the default repo, as a commit to one port could possibly break builds for others that depend on it and using quarterly gives time to spot these issues.

quarterly are built from the quarterly branch. So the real question is, if this is a genuine security related fix, why wasn’t it flagged to be merged into quarterly.

or it was, and just hasn’t had the pkg built yet.
 
From the looks of that page, it seems like they can build selectively and it only takes a couple hours.
The "Exp" builds are triggered by submitted patches (notice how they all refer to PR numbers). They are, in essence, test builds. If they fail the patch isn't committed.

Maybe a better question would be why hasn't it been patched into HEAD?
It is. If it wasn't there wouldn't be a package either. Everything starts with a port. All packages are built from ports, always, no exceptions.

 
It should also be taken into account that the packages repository catalogues (pkg-repo(8)) are updated only every 3 days. Even if a updated/upgraded package is present in the repository it's not available for pkg(8) until the calalogue is updated. This can give the impression a package is not updated/upgraded.

In case of quarterly www/firefox, the latest port update has been committed on February 10th, a package has been placed in the repository on February 12th, the package repository catalogue (meta, digests, packagesite) was updated on February 13th.
 
Thanks shkhln, I appreciate that you took your time to correct my faulty conclusion. My apologies to all, there is limited information, at least I couldn't find any, concerning the update process of the package repositories. I took as base the information at hand and past experience. I was sure I draw the right conclusions, obviously I was wrong.
@ Sevendogsbsd and @ CyberCr33p you might want to take your thanks back, I got them undeservedly. Again my apologies.
 
Was it? That sounds kinda unsafe, unless Poudriere keeps old packages around until metadata update. Most likely the package was built 12th and published on 13th.
It is, since the system detects the vulnerabilities, and if the package or port repositories are not updated to the latest version, the system cannot fix the vulnerabilities or update the software. I don't use Poudriere because it's too confusing in its configuration, I never could with poudriere.
 
Back
Top