Yearly packages repository with security patches ?

np1

np1

Hi,
I was wondering why only quarterly / latest packages repositories receive security updates.
Is it possible to have a yearly packages repo with security updates applied ?
I don't want to get packages to upgrade version every 3 months.

Thanks a lot,
Best
 
np1 said:
I was wondering why only quarterly / latest packages repositories receive security updates.
Click to expand...
Because that's the only kind we have.

np1 said:
Is it possible to have a yearly packages repo with security updates applied ?
Click to expand...
Only if you set up your own repository and manage everything yourself.
 
np1 said:
This is not a problem but where can I find the security patches ?
Click to expand...
What security patches are you looking for? If a port has a security issue then that port just gets updated to the new, fixed, version. But obviously only if the issue has actually been resolved upstream.
 
Let me share more details on my requirement.
Let's say that I want to stay sticky to 12.1 release_1 packages.
This repo now contains nginx-1.16.1_4,2.txz.
I want to apply the patch from this vuln https://vuxml.freebsd.org/freebsd/87679fcb-be60-11e9-9051-4c72b94353b5.html to it.

Should I copy in the release_1 ports tree the new nginx port taken from quarterly and rebuild everything using poudriere/synth ?
I don't think this will work....
How should I handle this ?

My point is to have a more strict version policy in place, I don't need to have the latest version as far as they don't have any known vulnerabilities...
Let's say something like debian security patch management...

Thx
 
np1 said:
Let's say that I want to stay sticky to 12.1 release_1 packages.
Click to expand...
Don't use that one. Use latest or quarterly.

This repo now contains nginx-1.16.1_4,2.txz.
Click to expand...
Yes, it hasn't been updated since October I believe. Again, don't use that repository.

np1 said:
My point is to have a more strict version policy in place, I don't need to have the latest version as far as they don't have any known vulnerabilities...
Click to expand...
Set up your own repository so you can update what you want, when you want it.

np1 said:
Should I copy in the release_1 ports tree
Click to expand...
There is no "release_1" ports tree. There's only one ports tree, there are however quarterly branches taken from it. The difference between release_0 and release_1 package repository is that one was built for 12.0 and the other for 12.1. It is however based on the exact same ports tree. All versions of FreeBSD use one and the same ports tree. There are NO version differences between FreeBSD versions like you would have with a Linux distribution (massive changes between RedHat 7 and 8 for example).

np1 said:
How should I handle this ?
Click to expand...
Set up poudriere with a subversion ports tree. Then in /usr/local/poudriere/ports/default (assuming you're using the 'default' ports tree) you can use subversion to update what you want, or not.


Oh, and that security issue was already fixed some time ago: https://svnweb.freebsd.org/ports?view=revision&revision=508898
It's been fixed in the previous quarterly too. Which is another reason not to use that release_1 repository.
 
You must log in or register to reply here.
Back
Top