On Wed, Oct 12, 2005 at 06:32:36PM +0200, Ivan Voras wrote: > Mike Tancsa wrote: > >At 10:13 AM 12/10/2005, Ivan Voras wrote: > > >>My idea is that there could maybe be some "core" ports, about 1500 or so, > > > >This sounds like a recipe for confusion. Some users have problems > >distinguishing between whats in the base, and whats out of the ports. > >Another type of "psudo base app" would just add to the confusion. User > > I agree that "core ports" is a very confusing name... maybe something > like "ports with extended security support" :) > > >/ admins need to take *some* responsibility for what is installed on > >their system. Many ports are not very well maintained in the first > >place and to say that the security team should be responsible for > >another 1500 applications is not realistic. > > No, not the FreeBSD security team - I mentioned them only as a reference > for "how long does it make sense to support a release". All ports that > would get the extended support will HAVE to be supported by their > respective maintainers/authors. Any port whose maintainer doesn't want > to do it this way will automatically get kicked off the list.
If you do it in this way you'll get the highest number of point of failers as possible. This work should be done by a few persons, _not_ by 1500 persons/maintainers for 1500 "security enhanced ports". > > The reason why I think this would work is that I think that many > widely-used applications (e.g.: apache, php, mysql, postgresql, perl, > postfix) are well maintained by their authors and there would certainly > be an audience among the maintainers themselves for such a thing. > > To summarize: > - each release would tag the ports tree with RELENG_x_y > - on that tag, certain ports would be supported security-wise by their > maintainers for as long as RELENG_x_y itself is supported by the > security team, being carefull to leave the same version of the port (or > one that's 100% backward compatible). > - other ports would not be supported/maintained, and will just be > "frozen in time" by the CVS tag. then all other ports are excluded from getting security fixes and will become useless in a production/critical enviroment. The other ports should be available as in a normal system, just as it is today - in a newer version. thats still better than an old _and_ insecure version. Greetings, Jonathan -- | /"\ ASCII Ribbon | Jonathan Glaschke - Lorenz-Görtz-Straße 71, | \ / Campaign Against | 41238 Mönchengladbach, Tel: 02166-265876 | X HTML In Mail | Mobil: 0162-3390789, ICQ: 231021883 | / \ And News | http://jonathan-glaschke.de/
pgpGC7hZPfDPT.pgp
Description: PGP signature
