Subject: Re: general pkgsrc release engineering question
To: None <netbsd-help@netbsd.org>
From: Tom Nakamura <imifumei@imap.cc>
List: netbsd-help
Date: 04/11/2005 11:32:55
On Mon, 11 Apr 2005 09:23:35 -0400, "Jan Schaumann"
<jschauma@netmeister.org> said:
> Martijn van Buul <martijnb@atlas.ipv6.stack.nl> wrote:
>
> > AFAIK yes, with the added remark that packages might get removed in case
> > of security issues. (If package foo was at version 1.2 when 2005Q1 was
> > branched, and when it was later discovered that foo-1.2 has a security
> > leak (fixed in foo-1.2nb3 in HEAD), foo-1.2.tar.gz gets deleted, but no
> > foo-1.2nb3 will be generated for 2005Q1. At least, that's my understanding of
> > it all.)
>
> Ideally, it'll work like this:
>
> If there is a security issue in foo-1.2, and it has been fixed in
> pkgsrc-HEAD, then usually a pullup-request is made, and the fix included
> in the latest supported pkgsrc branch. Subsequently, binary packages
> are built and uploaded to replace the ones that were deleted.
>
> This process may take a while and involves the due diligence of (a) the
> person fixing the security hole (to make the pullup request), (b) the
> pkgsrc releng team (to pullup the request), and (c) the bulk-builders
> (to produce new binary packages).
>
> -Jan
so say foo-12 had a security hole, a pullup request is made, and the
releng team builds/uploads a replacement. is there a mailing list or
something to notify us when that happens, and is there a need to
synchronize our pkgsrc (w/ cvsup, etc?).
Tom
--
eyefull@eml.cc