Subject: Re: general pkgsrc release engineering question
To: None <netbsd-help@netbsd.org>
From: Jan Schaumann <jschauma@netmeister.org>
List: netbsd-help
Date: 04/11/2005 09:23:35
--VS++wcV0S1rZb1Fb
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Martijn van Buul <martijnb@atlas.ipv6.stack.nl> wrote:
=20
> AFAIK yes, with the added remark that packages might get removed in case
> of security issues. (If package foo was at version 1.2 when 2005Q1 was
> branched, and when it was later discovered that foo-1.2 has a security
> leak (fixed in foo-1.2nb3 in HEAD), foo-1.2.tar.gz gets deleted, but no
> foo-1.2nb3 will be generated for 2005Q1. At least, that's my understandin=
g of
> it all.)

Ideally, it'll work like this:

If there is a security issue in foo-1.2, and it has been fixed in
pkgsrc-HEAD, then usually a pullup-request is made, and the fix included
in the latest supported pkgsrc branch.  Subsequently, binary packages
are built and uploaded to replace the ones that were deleted.

This process may take a while and involves the due diligence of (a) the
person fixing the security hole (to make the pullup request), (b) the
pkgsrc releng team (to pullup the request), and (c) the bulk-builders
(to produce new binary packages).

-Jan

--=20
   This is so cool I have to go to the bathroom.

--VS++wcV0S1rZb1Fb
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)

iD8DBQFCWnpXfFtkr68iakwRAlbVAKD4d/XUs1ildemRhI3PNV/U7p6ZzACg0aTo
5IczIftHU8zrdbR99Jl47WE=
=xwFi
-----END PGP SIGNATURE-----

--VS++wcV0S1rZb1Fb--