Re: no 4.2-stable package updates??
Hi Brian, On Wed, 12.12.2007 at 11:26:13 -0500, Brian A. Seklecki [EMAIL PROTECTED] wrote: There's a vulnxml feed for OpenBSD ports. It should be updated with critical patches, and those should be pulled into 4.2-stable. are you talking about this website? http://www.vuxml.org/openbsd/ Kind regards, --Toni++
Re: : : no 4.2-stable package updates??
On Thu, Dec 13, 2007 at 04:10:39PM -0500, Jason Beaudoin wrote: On Dec 13, 2007 1:05 PM, Raimo Niskanen [EMAIL PROTECTED] wrote: On Thu, Dec 13, 2007 at 01:07:17PM +, Jonathan Thornburg wrote: First, I'd like to thank those who provided useful responces to my query (which started this thread), both on- and off-list. I had missed the announcement (http://marc.info/?l=openbsd-portsm=119347390302171w=1) that -stable ports packages are no longer maintained. As I recall from the FAQ and installation manual, an overall philosphy for OpenBSD is that the package system is the recommended. Users are encouraged to install from binary packages. And regular users should follow the stable branch. Does this still apply. It seems not from this thread, so in what way should a regular user now follow the stable branch? And yes, it should be in the FAQ. Or is this just a temporary setback? As an inexperienced user, I still hear: use the package system. But on -release.. which is *supported.* Oh dear, sorry about the noise. I apparetly have misunderstood simple things. -release being patched from the package system is exactly what I want. I have mistaken -stable for -release. I am sorry again. I agree that since there were -release, -stable and -current; -stable is the least important. And there are still snapshots that will do as a substitute for -stable. Keep up the good work. I will be hiding in shame for a while... -- / Raimo Niskanen, Erlang/OTP, Ericsson AB
Re: no 4.2-stable package updates??
I would like to apologize for my early post to this topic, I was extremely rude and disrespectful. Please disregard it. -Nix Fan.
Re: : no 4.2-stable package updates??
Maybe I'm missing something, but it seems like security on a lot of systems is trying to play catch-up with the latest patches. I I have an enemy, that is exactly where I want him. Seems like long ago OBSD tended to have fixed the latest whatever about 6 months before everybody else woke up to the whatever. Compared to most other systems, methinks you'd come out ahead by waiting for the next CDs and then upgrading. The -release does need to be in place just in case anything critical is actually needed. To paraphrase something or other, Security is never having to patch. Dunno if OBSD is really there yet, but seems like they're close. Well.. I agree in some ways.. though I think I'm a bit too experienced to really know better. That being said, my real goal is to understand the system, how it works, and how development is done, so I'm investing the effort to better understand how to do these things. Kind regards, ~Jason
Re: no 4.2-stable package updates??
On 12.12-16:25, [EMAIL PROTECTED] wrote: I tried using pkgsrc-2007Q3 but it sucks. Updating userland in production environment with pkgsrc on a non-NetBSD platform is a nightmare. i'm working on this. will post when significant progress has been made. in my opinion having a working pkgsrc tree is better for everyone, doesn't mean we can't have an openbsd branch (so to speak) but unifying our efforts with others in this field will have benefits.
Re: : no 4.2-stable package updates??
Raimo Niskanen wrote: On Wed, Dec 12, 2007 at 08:35:50AM +0100, Antoine Jacoutot wrote: This was announced on ports@ IIRC. So if there are security bugs in a package or port shipped with OpenBSD 4.2, there will be no updated package or updated port available? That is correct. Now, this will prevent me from upgrading to 4.2. This is bad. The solution is very simple though. Everyone has been told what was lacking in order to keep it up, so just make those resources available and it will spring back up again. Simple as that. Noone said we dont want stable packages.
Re: : no 4.2-stable package updates??
On (2007-12-13 10:28), Janne Johansson wrote: The solution is very simple though. Everyone has been told what was lacking in order to keep it up, so just make those resources available and it will spring back up again. Simple as that. Noone said we dont want stable packages. It's going to be handled, soon.
Re: no 4.2-stable package updates??
On 2007/12/12 14:54, Unix Fan wrote: Why even have a -CURRENT ports tree?... So that there are updated ports/packages for people running -current, and quite importantly, for the next release. IME it's a lot easier to run snapshots than -stable. Have you tried it, or did you just decide you might not like it, perhaps based on experience from another OS where development is structured differently?
Re: no 4.2-stable package updates??
First, I'd like to thank those who provided useful responces to my query (which started this thread), both on- and off-list. I had missed the announcement (http://marc.info/?l=openbsd-portsm=119347390302171w=1) that -stable ports packages are no longer maintained. Because -stable ports/packages updates no longer exist, it seems to me that section 15.2.8 of the FAQ (http://www.openbsd.org/faq/faq15.html#PkgSecurity) is now incorrect. It currently reads: When serious bugs or security flaws are discovered in third party software, they are fixed in the -stable branch of the ports tree, and a selection of updated binary packages is made available. Please refer to the stable packages page to find out about updated packages and important updates to the -stable branch. The obvious fix is to simply delete these two paragraphs from section 15.2.8 of the FAQ. Comments? ciao, -- -- Jonathan Thornburg (remove -animal to reply) [EMAIL PROTECTED] School of Mathematics, U of Southampton, England Washing one's hands of the conflict between the powerful and the powerless means to side with the powerful, not to be neutral. -- quote by Freire / poster by Oxfam
Re: no 4.2-stable package updates??
[EMAIL PROTECTED] wrote: On 12.12-16:25, [EMAIL PROTECTED] wrote: I tried using pkgsrc-2007Q3 but it sucks. Updating userland in production environment with pkgsrc on a non-NetBSD platform is a nightmare. i'm working on this. will post when significant progress has been made. in my opinion having a working pkgsrc tree is better for everyone, doesn't mean we can't have an openbsd branch (so to speak) but unifying our efforts with others in this field will have benefits. Agreed. I also think that pkgsrc (http://www.netbsd.org/docs/pkgsrc/) would be a good thing to have in OpenBSD. It has over 7,300 ports, it is being released several times per year, and *has* updates in -stable. I installed and configured pkgsrc-2007Q3 release on OpenBSD 4.2 and then updated to -stable. It bootstraped correctly, built some packages but I didn't make it possible to build Perl and xxfb. It was the reason I dropped it for now. Here are the steps I performed configuring OpenBSD 4.2 to use pkgsrc-2007Q3 (the majority of actions are taken from pkgsrc guide, found in URL above, please read the guide before taking any action below)... 1) Create /root/.cvsrc with following lines: checkout -P update -dP release -d diff -upN cvs -q -z3 rdiff -u 2) Add following lines to existing /root/.profile and export these variables to running environment (there are also additional pkgsrc mirrors found at http://www.netbsd.org/mirrors/#anoncvs): CVSROOT=[EMAIL PROTECTED]:/cvsroot CVS_RSH=ssh export CVSROOT CVS_RSH 3) Checkout pkgsrc-2007Q3 release, this creates /usr/pkgsrc directory ('#' is a root prompt): # cd /usr # cvs -q checkout -rpkgsrc-2007Q3 -P pkgsrc ... ... (be patient here) 4) Then, update pkgsrc to -stable (YEAH! :-) # cd /usr/pkgsrc # cvs -q update -dP ... ... (be patient here also) (CVS keeps track of the initial checkout branch, i.e. pkgsrc-2007Q3) 5) Read the latest docs, changes and READMEs from these dirs: /usr/pkgsrc/doc/ /usr/pkgsrc/mk/defaults/ 6) Relocate original OpenBSD pkgtools (since pkgsrc has pkgtools with same names): # cd /usr/sbin # mv pkg_add pkg_add.orig # mv pkg_create pkg_create.orig # mv pkg_delete pkg_delete.orig # mv pkg_info pkg_info.orig 7) Remove PKG_PATH from environment (if set to OpenBSD repository) since both OpenBSD pkgtools and pkgsrc use this variable: unset PKG_PATH (and comment it out from /root/.profile if there) 8) Bootstrap pkgsrc (FYI: bootstrap uses /var/db/pkg as default package db, and since it is the same as OpenBSD's just use other path to avoid problems). Bootstrapping creates initial infrastructure needed to build packages: # cd /usr/pkgsrc/bootstrap # ./bootstrap --pkgdbdir /usr/pkg/db ... ... (be patient here) After bootstrap finishes successfully, /usr/pkg is created. This is a root path for running pkgsrc environment. Every installed package goes to either /usr/pkg/bin or /usr/pkg/sbin. 9) Add following lines to the environment and /root/.profile: PATH=/usr/pkg/sbin:/usr/pkg/bin:$PATH export PATH Issue the following commands (beware with ldconfig not to mistype or forget to enter any additional local library paths you may have, it may render your system unusable until next reboot!): # echo shlib_dirs=\/usr/pkg/lib\ /etc/rc.conf/local # ldconfig /usr/lib /usr/local/lib /usr/X11R6/lib /usr/pkg/lib Change /etc/man.conf line: _default/usr/{share,X11R6,local}/man/ into: _default/usr/{pkg,share,X11R6,local}/man/ 11) Issue pkg_info command (this is pkgsrc version of pkg_info) to see packages installed after the bootstrap. On my machine this is as following: # pkg_info bootstrap-mk-files-20070810 *.mk files for the bootstrap bmake utility bmake-20051105nb4 Portable (autoconf) version of NetBSD 'make' utility tnftp-20070806 The enhanced FTP client in NetBSD pax-20060202nb1 POSIX standard archiver with many extensions pkg_install-20070927 Package management and administration tools for pkg It is possible to read man pages of newly installed pkgsrc packages: # man audit-packages ... 12) Now, edit your own main pkgsrc makefile (vi /usr/pkg/etc/mk.conf), '#' is a comment: ### # Example /usr/pkg/etc/mk.conf file produced by bootstrap-pkgsrc # Wed Dec 12 10:20:21 CET 2007 .ifdef BSD_PKG_MK # begin pkgsrc settings PKG_DBDIR= /usr/pkg/db LOCALBASE= /usr/pkg VARBASE=/var PKG_TOOLS_BIN= /usr/pkg/sbin PKGMANDIR= man TOOLS_PLATFORM.pax?=/usr/pkg/bin/pax TOOLS_PLATFORM.tar?=/usr/pkg/bin/tar ### # Added by jere ### # All applications are inet6 enabled, # this avoids problems in some misbehaving applications. # If possible, I want to avoid using threads. Just don't like them. :-) # List of all options is found at # /usr/pkgsrc/mk/defaults/options.description PKG_DEFAULT_OPTIONS+= inet6 -threads # I'm not sure if this is sufficient to use # OpenBSD's native OpenSSL
Re: : no 4.2-stable package updates??
On Thu, Dec 13, 2007 at 01:07:17PM +, Jonathan Thornburg wrote: First, I'd like to thank those who provided useful responces to my query (which started this thread), both on- and off-list. I had missed the announcement (http://marc.info/?l=openbsd-portsm=119347390302171w=1) that -stable ports packages are no longer maintained. As I recall from the FAQ and installation manual, an overall philosphy for OpenBSD is that the package system is the recommended. Users are encouraged to install from binary packages. And regular users should follow the stable branch. Does this still apply. It seems not from this thread, so in what way should a regular user now follow the stable branch? And yes, it should be in the FAQ. Or is this just a temporary setback? Because -stable ports/packages updates no longer exist, it seems to me that section 15.2.8 of the FAQ (http://www.openbsd.org/faq/faq15.html#PkgSecurity) is now incorrect. It currently reads: When serious bugs or security flaws are discovered in third party software, they are fixed in the -stable branch of the ports tree, and a selection of updated binary packages is made available. Please refer to the stable packages page to find out about updated packages and important updates to the -stable branch. The obvious fix is to simply delete these two paragraphs from section 15.2.8 of the FAQ. Comments? ciao, -- -- Jonathan Thornburg (remove -animal to reply) [EMAIL PROTECTED] School of Mathematics, U of Southampton, England Washing one's hands of the conflict between the powerful and the powerless means to side with the powerful, not to be neutral. -- quote by Freire / poster by Oxfam -- / Raimo Niskanen, Erlang/OTP, Ericsson AB
Re: : no 4.2-stable package updates??
On Dec 13, 2007 1:05 PM, Raimo Niskanen [EMAIL PROTECTED] wrote: On Thu, Dec 13, 2007 at 01:07:17PM +, Jonathan Thornburg wrote: First, I'd like to thank those who provided useful responces to my query (which started this thread), both on- and off-list. I had missed the announcement (http://marc.info/?l=openbsd-portsm=119347390302171w=1) that -stable ports packages are no longer maintained. As I recall from the FAQ and installation manual, an overall philosphy for OpenBSD is that the package system is the recommended. Users are encouraged to install from binary packages. And regular users should follow the stable branch. Does this still apply. It seems not from this thread, so in what way should a regular user now follow the stable branch? And yes, it should be in the FAQ. Or is this just a temporary setback? As an inexperienced user, I still hear: use the package system. But on -release.. which is *supported.* If security is of the utmost importance, following security announcements and applying patches yourself, as necessary, is the thing to do. The developers have work to do.. which involves continuing development. If you want to use -stable, which is unmaintained/unsupported, use the appropriate cvs repo and build from ports. This is how I've interpreted things, maybe I'm wrong.. but I see no point in bothering developers for package maintenance. They should be able to invest themselves as they see fit, and I'd be willing to bet that more often than not, this work would be in developing the system.. making it better for themselves, and in turn, us. We are free to do as we please. and our beloved developers are not under any support contracts. Let us let them invest themselves as they see fit.. I'm sure we'll all benefit, we have thus far. In turn, let's see where and how we can give back to them. Best regards, ~Jason
Re: no 4.2-stable package updates??
critical patches, and those should be pulled into 4.2-stable. Unfortunately, it isn't that easy. Some updates imply updates of depending ports (e.g. poppler and evince), which may imply further updates of dependencies. So you'll end up with -current -- more or less, including more updates... Mattias: Making that distinction the critical thinking responsibility of the system administrator. No vulnxml syntax exists for describing ranges of vulnerable versions compatible with every projects versioning and release engineering scheme, as they all differ. That should not stop us from doing the best we can with the existing limitations. ~BAS
Re: : no 4.2-stable package updates??
Jason Beaudoin wrote: On Dec 13, 2007 1:05 PM, Raimo Niskanen [EMAIL PROTECTED] wrote: On Thu, Dec 13, 2007 at 01:07:17PM +, Jonathan Thornburg wrote: First, I'd like to thank those who provided useful responces to my query (which started this thread), both on- and off-list. I had missed the announcement (http://marc.info/?l=openbsd-portsm=119347390302171w=1) that -stable ports packages are no longer maintained. As I recall from the FAQ and installation manual, an overall philosphy for OpenBSD is that the package system is the recommended. Users are encouraged to install from binary packages. And regular users should follow the stable branch. Does this still apply. It seems not from this thread, so in what way should a regular user now follow the stable branch? And yes, it should be in the FAQ. Or is this just a temporary setback? As an inexperienced user, I still hear: use the package system. But on -release.. which is *supported.* If security is of the utmost importance, following security announcements and applying patches yourself, as necessary, is the thing to do. The developers have work to do.. which involves continuing development. If you want to use -stable, which is unmaintained/unsupported, use the appropriate cvs repo and build from ports. This is how I've interpreted things, maybe I'm wrong.. but I see no point in bothering developers for package maintenance. They should be able to invest themselves as they see fit, and I'd be willing to bet that more often than not, this work would be in developing the system.. making it better for themselves, and in turn, us. We are free to do as we please. and our beloved developers are not under any support contracts. Let us let them invest themselves as they see fit.. I'm sure we'll all benefit, we have thus far. In turn, let's see where and how we can give back to them. Best regards, ~Jason Maybe I'm missing something, but it seems like security on a lot of systems is trying to play catch-up with the latest patches. I I have an enemy, that is exactly where I want him. Seems like long ago OBSD tended to have fixed the latest whatever about 6 months before everybody else woke up to the whatever. Compared to most other systems, methinks you'd come out ahead by waiting for the next CDs and then upgrading. The -release does need to be in place just in case anything critical is actually needed. To paraphrase something or other, Security is never having to patch. Dunno if OBSD is really there yet, but seems like they're close.
Re: no 4.2-stable package updates??
So if there are security bugs in a package or port shipped with OpenBSD 4.2, there will be no updated package or updated port available? That is correct. -- Antoine How do you gents keep your 4.2 stable OpenBSD server ( read packages, not system ) bug free? If I remember correctly, I'm not supposed to use 4.2 stable system with current ports. Thank you for your suggestions -- ico
Re: no 4.2-stable package updates??
On Wed, 12 Dec 2007, ico wrote: How do you gents keep your 4.2 stable OpenBSD server ( read packages, not system ) bug free? If I remember correctly, I'm not supposed to use 4.2 stable system with current ports. Personnaly, I use -current (base+packages) everywhere. But this is just me. -- Antoine
Re: no 4.2-stable package updates??
There's a vulnxml feed for OpenBSD ports. It should be updated with critical patches, and those should be pulled into 4.2-stable. If your business depends on OpenBSD ports, maybe you can sponsor a 4.2-stable build sandbox. I know mine does, and I'm happy to host it. We're talking at-most 30 minutes a day of TLC. ~BAS On Wed, 2007-12-12 at 17:06 +0100, Antoine Jacoutot wrote: On Wed, 12 Dec 2007, ico wrote: How do you gents keep your 4.2 stable OpenBSD server ( read packages, not system ) bug free? If I remember correctly, I'm not supposed to use 4.2 stable system with current ports. Personnaly, I use -current (base+packages) everywhere. But this is just me. -- Brian A. Seklecki [EMAIL PROTECTED] Collaborative Fusion, Inc. IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
Re: : no 4.2-stable package updates??
On Wed, Dec 12, 2007 at 08:35:50AM +0100, Antoine Jacoutot wrote: On Tue, 11 Dec 2007, Joe wrote: Wow. I didn't know this changed. This was announced on ports@ IIRC. So if there are security bugs in a package or port shipped with OpenBSD 4.2, there will be no updated package or updated port available? That is correct. Now, this will prevent me from upgrading to 4.2. This is bad. -- Antoine -- / Raimo Niskanen, Erlang/OTP, Ericsson AB
Re: : no 4.2-stable package updates??
On Wed, Dec 12, 2007 at 08:35:50AM +0100, Antoine Jacoutot wrote: On Tue, 11 Dec 2007, Joe wrote: Wow. I didn't know this changed. This was announced on ports@ IIRC. So if there are security bugs in a package or port shipped with OpenBSD 4.2, there will be no updated package or updated port available? That is correct. Now, this will prevent me from upgrading to 4.2. So you assume that staying with 4.1 (or previous releases) is a better spot for you to remain. Right..
Re: : no 4.2-stable package updates??
Raimo Niskanen wrote: On Wed, Dec 12, 2007 at 08:35:50AM +0100, Antoine Jacoutot wrote: On Tue, 11 Dec 2007, Joe wrote: Wow. I didn't know this changed. This was announced on ports@ IIRC. So if there are security bugs in a package or port shipped with OpenBSD 4.2, there will be no updated package or updated port available? That is correct. Now, this will prevent me from upgrading to 4.2. 4.1 packages are not updated either, fyi. This is bad. -- Antoine
Re: no 4.2-stable package updates??
I tried using pkgsrc-2007Q3 but it sucks. Updating userland in production environment with pkgsrc on a non-NetBSD platform is a nightmare. -Original Message- From: ico [EMAIL PROTECTED] Date: Wed, 12 Dec 2007 16:53:03 To:Antoine Jacoutot [EMAIL PROTECTED] Cc:Joe [EMAIL PROTECTED],Martin Schrvder [EMAIL PROTECTED],Misc-Openbsd Listserv misc@openbsd.org Subject: Re: no 4.2-stable package updates?? So if there are security bugs in a package or port shipped with OpenBSD 4.2, there will be no updated package or updated port available? That is correct. -- Antoine How do you gents keep your 4.2 stable OpenBSD server ( read packages, not system ) bug free? If I remember correctly, I'm not supposed to use 4.2 stable system with current ports. Thank you for your suggestions -- ico
Re: no 4.2-stable package updates??
ico wrote: So if there are security bugs in a package or port shipped with OpenBSD 4.2, there will be no updated package or updated port available? That is correct. -- Antoine How do you gents keep your 4.2 stable OpenBSD server ( read packages, not system ) bug free? I run build infrastructures for the two last releases, apply patches as needed and feed the packages from the build machines to a package distribution server. All systems are then attached to this server using the PKG_PATH environment variable. That works very well. If I remember correctly, I'm not supposed to use 4.2 stable system with current ports. No, that usually does not work well. Thank you for your suggestions
Re: : no 4.2-stable package updates??
On 12/12/07, Raimo Niskanen [EMAIL PROTECTED] wrote: On Wed, Dec 12, 2007 at 08:35:50AM +0100, Antoine Jacoutot wrote: On Tue, 11 Dec 2007, Joe wrote: So if there are security bugs in a package or port shipped with OpenBSD 4.2, there will be no updated package or updated port available? That is correct. Now, this will prevent me from upgrading to 4.2. It isn't so that any pre-4.2-stable will be updated, so you lose nothing by upgrading. very often you can backport from -current ports without any change. --knitti
Re: : no 4.2-stable package updates??
On 12/12/07, Darren Spruell [EMAIL PROTECTED] wrote: Why -current? I thought what had fallen behind from lack of resources was binary packages. Surely OPENBSD_4_2 (stable branch of ports tree) still has updated ports. Just build -stable packages from ports (like you did in the olden days.) to quote from the original mail from Nikolay Sturm (thanks to him for doing this or much of it over some years) to misc: as you might have noticed, -stable ports have not been properly updated in the last few months. Due to lack of resources, especially a responsible maintainer, you cannot expect any updates to -stable for the foreseeable future. Although some updates might happen, -stable should be considered unmaintained. --knitti
Re: : no 4.2-stable package updates??
On Dec 12, 2007 11:41 AM, knitti [EMAIL PROTECTED] wrote: On 12/12/07, Raimo Niskanen [EMAIL PROTECTED] wrote: On Wed, Dec 12, 2007 at 08:35:50AM +0100, Antoine Jacoutot wrote: On Tue, 11 Dec 2007, Joe wrote: So if there are security bugs in a package or port shipped with OpenBSD 4.2, there will be no updated package or updated port available? That is correct. Now, this will prevent me from upgrading to 4.2. It isn't so that any pre-4.2-stable will be updated, so you lose nothing by upgrading. very often you can backport from -current ports without any change. Why -current? I thought what had fallen behind from lack of resources was binary packages. Surely OPENBSD_4_2 (stable branch of ports tree) still has updated ports. Just build -stable packages from ports (like you did in the olden days.) DS
Re: : no 4.2-stable package updates??
On Wednesday 12 December 2007 12:25:40 Theo de Raadt wrote: On Wed, Dec 12, 2007 at 08:35:50AM +0100, Antoine Jacoutot wrote: On Tue, 11 Dec 2007, Joe wrote: Wow. I didn't know this changed. This was announced on ports@ IIRC. So if there are security bugs in a package or port shipped with OpenBSD 4.2, there will be no updated package or updated port available? That is correct. Now, this will prevent me from upgrading to 4.2. So you assume that staying with 4.1 (or previous releases) is a better spot for you to remain. Right.. You really don't want to do that. Yes, not having updates to the packages in -stable is unforunate. But if you don't upgrade to 4.2, you're missing out on all the package changes since 4.1, *and* all the changes to OpenBSD itself.Take a look at http://cvs.openbsd.org/plus42.html to see them. There are at least 500 items there. Not upgrading because 4.2 doesn't have updated packages since it came out just doesn't make sense. --STeve Andre'
Re: : no 4.2-stable package updates??
knitti wrote: On 12/12/07, Raimo Niskanen [EMAIL PROTECTED] wrote: On Wed, Dec 12, 2007 at 08:35:50AM +0100, Antoine Jacoutot wrote: On Tue, 11 Dec 2007, Joe wrote: Now, this will prevent me from upgrading to 4.2. It isn't so that any pre-4.2-stable will be updated, so you lose nothing by upgrading. very often you can backport from -current ports without any change. And there is a(n unsupported) collection of updates here: http://openbsd.rutgers.edu/4.2-stable/
Re: : no 4.2-stable package updates??
On Dec 12, 2007 1:11 PM, knitti [EMAIL PROTECTED] wrote: On 12/12/07, Darren Spruell [EMAIL PROTECTED] wrote: Why -current? I thought what had fallen behind from lack of resources was binary packages. Surely OPENBSD_4_2 (stable branch of ports tree) still has updated ports. Just build -stable packages from ports (like you did in the olden days.) to quote from the original mail from Nikolay Sturm (thanks to him for doing this or much of it over some years) to misc: as you might have noticed, -stable ports have not been properly updated in the last few months. Due to lack of resources, especially a responsible maintainer, you cannot expect any updates to -stable for the foreseeable future. Although some updates might happen, -stable should be considered unmaintained. Gah, I'll crawl back under my rock. Misremembered. DS
Re: no 4.2-stable package updates??
On Wed, Dec 12, 2007 at 11:26:13AM -0500, Brian A. Seklecki wrote: There's a vulnxml feed for OpenBSD ports. It should be updated with critical patches, and those should be pulled into 4.2-stable. Unfortunately, it isn't that easy. Some updates imply updates of depending ports (e.g. poppler and evince), which may imply further updates of dependencies. So you'll end up with -current -- more or less, including more updates... Ciao, Kili -- Ich habe noch niemanden gesehen, der eine man-page so schnell verstehen kann, wie sie einem ein 486er auf den Schirm haut. -- Martin Neitzel
Re: no 4.2-stable package updates??
This really does suck... While we as users appreciate developers hard work, A majority rely on -STABLE for updated and secure 3rd party software.. You really can't expect everyone to use -CURRENT in a production environment.. and it's been made clear that using -CURRENT ports on a -STABLE system is a bad idea. ([i]And not entirely easy either..[/i]). Why even have a -CURRENT ports tree?... -STABLE should be the tree maintained for the 6 months between releases.. Please reconsider discontinuing the -STABLE tree, people depend on it... people depend on you.. :( -Nix Fan.
Re: no 4.2-stable package updates??
On 12 Dec 2007 14:54:59 -0800, Unix Fan [EMAIL PROTECTED] wrote: Why even have a -CURRENT ports tree? Um, to have somewhere for new and updated ports to go?
Re: no 4.2-stable package updates??
Unix Fan writes: This really does suck... While we as users appreciate developers hard work, A majority rely on -STABLE for updated and secure 3rd party software.. Really? You have statistics? I'd be curious to see how many run stable vs. old releases vs. current. Why even have a -CURRENT ports tree?... -STABLE should be the tree maintained for the 6 months between releases.. You do realize that ports maintenance is a volunteer effort and that volunteers get burned out. I'm speaking from experience in that I more-or-less managed the ports tree for several releases way back when when it was a lot easier. No packages (packages were just being born about the time I stopped) and there were less than 1/4 the number of ports you have today. You are asking for volunteers to double their work effort. I don't see that happening. If you want specific things done I suggest you come up with funding. I did that a few times, too, in the form of when I can run foo on my machine I'll send you a check for $$$. // marc
Re: no 4.2-stable package updates??
On 12 Dec 2007 14:54:59 -0800, Unix Fan wrote: This really does suck... While we as users appreciate developers hard work, A majority rely on -STABLE for updated and secure 3rd party software.. So why does that majority not provide the skills or the money to support that facility? Maybe you should use something else that panders to your appetite. You really can't expect everyone to use -CURRENT in a production environment.. and it's been made clear that using -CURRENT ports on a -STABLE system is a bad idea. ([i]And not entirely easy either..[/i]). Why even have a -CURRENT ports tree?... -STABLE should be the tree maintained for the 6 months between releases.. The current tree is where development happens. No current=no new stuff (including version updates for apps) You are full of shoulds. Here is one back: You should be working towards providing the necessary resources to get your wants. Please reconsider discontinuing the -STABLE tree, people depend on it... people depend on you.. :( -Nix Fan. Nix is what you are really doing to get what you want, apart from whining. Rod/ /earth: write failed, file system is full cp: /earth/creatures: No space left on device
Re: no 4.2-stable package updates??
So why does that majority not provide the skills or the money to support that facility? Maybe you should use something else that panders to your appetite. Completely unable to resist a great setup presented above, is the software really free then? Brian
Re: no 4.2-stable package updates??
On Wed, 12 Dec 2007 16:56:08 -0800 (PST), Brian wrote: So why does that majority not provide the skills or the money to support that facility? Maybe you should use something else that panders to your appetite. Completely unable to resist a great setup presented above, is the software really free then? If you don't know what free means in the context of OpenBSD then you should do some research. If you do, you're a troll. And for those who just expect it without paying in money, kind or effort there is a good Aussie word: Bludger. If the cap fits wear it. Be aware too that just buying a Tshirt or a CD set doesn't buy a whining licence. There are people who really really need something and who fund it. Guess what? Everybody else who might need it gets it without paying. Even the bludgers. So don't whine, just wait and when someone else makes it possible, hey, you can leech away. Rod/ In the beginning was The Word and The Word was Content-type: text/plain The Word of Rod.
Re: no 4.2-stable package updates??
On 12-Dec-07, at 5:54 PM, Unix Fan wrote: You really can't expect everyone to use -CURRENT in a production environment.. Wow, I've read an unusual amount of stupid things on this list in the last two days but this takes the cake (hint: it's not about whether or not people run -current or -stable). This would be insulting even to someone with whom you'd signed a contract and paid to provide you with software. Please stop before you give the rest of us casual users a really bad name.
Re: no 4.2-stable package updates??
Brian [EMAIL PROTECTED] writes: So why does that majority not provide the skills or the money to support that facility? Maybe you should use something else that panders to your appetite. Completely unable to resist a great setup presented above, is the software really free then? free doesn't mean that we're your servants. Go away, stupid troll. //art
no 4.2-stable package updates??
As a matter of policy, are -stable packages updated for security fixes? I know that used to be the case, but as of today (40 days after 4.2 was released), there are *no* 4.2-stable package updates shown at http://www.openbsd.org/pkg-stable.html. In contrast, there are 183 4.1-stable updates shown (accumulated over the roughly 7 months from 4.1-release to now), and 249 4.0-stable updates shown (presumably accumulated over the year from 4.0-release to the end of 4.0-stable updates when 4.2 was released), and my memory of past releases (going back some years) is of a similar steady trickle of -stable package updates (often described as security fixes). So, am I just lucky that no bugs-important-enough-for-stable-updates have been found in any 4.2 packages yet? Is there somewere other than http://www.openbsd.org/pkg-stable.html that I should be watching if I want to keep -stable packages up to date with security fixes? ciao, -- -- Jonathan Thornburg (remove -animal to reply) [EMAIL PROTECTED] School of Mathematics, U of Southampton, England Washing one's hands of the conflict between the powerful and the powerless means to side with the powerful, not to be neutral. -- quote by Freire / poster by Oxfam
Re: no 4.2-stable package updates??
On Tue, 11 Dec 2007, Jonathan Thornburg wrote: So, am I just lucky that no bugs-important-enough-for-stable-updates have been found in any 4.2 packages yet? Is there somewere other than http://www.openbsd.org/pkg-stable.html that I should be watching if I want to keep -stable packages up to date with security fixes? There're no -stable packages anymore. Lack of interest/man power. -- Antoine
Re: no 4.2-stable package updates??
On Tue, 11 Dec 2007, Martin Schrvder wrote: Get -stable ports fixed? Lack of interest/man power. -- Antoine
Re: no 4.2-stable package updates??
My opinion is that more money should be raised in order to keep -stable up to date. I think it's important to mantain a stable distribution, it's one of the things that give openbsd it's fame of being solid rock Marcos - Original Message - From: Antoine Jacoutot [EMAIL PROTECTED] To: Martin Schrvder [EMAIL PROTECTED] Cc: Misc-Openbsd Listserv misc@openbsd.org Sent: Tuesday, December 11, 2007 1:09 PM Subject: Re: no 4.2-stable package updates?? On Tue, 11 Dec 2007, Martin Schrvder wrote: Get -stable ports fixed? Lack of interest/man power. -- Antoine
Re: no 4.2-stable package updates??
Marcos Laufer wrote: My opinion is that more money should be raised in order to keep -stable up to date. I think it's important to mantain a stable distribution, it's one of the things that give openbsd it's fame of being solid rock Marcos Seriously? More money? Like enough to woo someone from their job and keep stable packages up to date for you? I'm not sure you understand how this whole thing works. Also, may your payment be the first of the windfall, and your -stable package patches the catalyst for la revolucion. -- Jason
Re: no 4.2-stable package updates??
Wow. I didn't know this changed. So if there are security bugs in a package or port shipped with OpenBSD 4.2, there will be no updated package or updated port available? I'm in no position to ask someone to do this, so I won't. But this really bites. On Dec 11, 2007, at 8:09 AM, Antoine Jacoutot wrote: On Tue, 11 Dec 2007, Martin Schrvder wrote: Get -stable ports fixed? Lack of interest/man power. -- Antoine
Re: no 4.2-stable package updates??
On Tue, 11 Dec 2007, Joe wrote: Wow. I didn't know this changed. This was announced on ports@ IIRC. So if there are security bugs in a package or port shipped with OpenBSD 4.2, there will be no updated package or updated port available? That is correct. -- Antoine