Re: updating vulnerable package in pkgsrc (gimp24)

[Greg Troxel <gdt%ir.bbn.com@localhost>]

Anne Bennett <anne%porcupine.montreal.qc.ca@localhost> writes:

I have redirected this to pkgsrc-users.

> I wanted to install gimp24 from pkgsrc-2007Q2, but "make fetch"
> stopped me with an error explaining that the version I had (2.3.18)
> had a security vulnerability.  The documentation at
>   ftp://ftp.NetBSD.org/pub/pkgsrc/current/pkgsrc/graphics/gimp24/README.html
> suggests that the latest version is 2.3.18nb1, not 2.3.18.
>
> I tried "cd /usr/pkgsrc; cvs -q update -dP", but it has not picked up
> any updates since a run earlier this morning.  I was finally able to get
> an updated version of gimp24 by downloading the pkgsrc-current tarball.

That will update along the branch.  A security update gnerally should be
and is pulled up to the branch, but that takes time.

> *Should* my "cvs" operation have picked up an updated version of gimp24,
> or am I going about this all wrong?

It will, but it will usually take longer.

> The release announcement said that "continuing engineering starts on
> the pkgsrc-2007Q2 release", and the tarball does seem to get updated
> weekly or so, so I had the impression that I should be able to pick up
> this update.  Perhaps I just tried at the wrong moment, but gimp24 in
> pkgsrc-current seems to have been updated on July 5, so I wonder if
> someone missed porting that update back to 2007Q2.

Quite possibly.

> I don't have a deep understanding of what changes are or are not
> included in released software trees, so I apologize if I seem to be
> making unreasonable demands; such is not my intention.

No, you've asked a fair question.