I have been following SmartOS from the very beginning but I am just deploying my first real servers since november.
I am using image 16.3.1 for native zones. Those quarterly images are suppose to be security supported until the next image is released. In this particular case, 16.4 is not released yet. Yet I am seeing a growing number of security vulnerabilities unaddressed: """ # pkgin update processing remote summary (https://pkgsrc.joyent.com/packages/SmartOS/2016Q3/x86_64/All)... database for https://pkgsrc.joyent.com/packages/SmartOS/2016Q3/x86_64/All is up-to-date # pkgin full-upgrade nothing to do. # pkg_admin fetch-pkg-vulnerabilities # pkg_admin audit | wc -l 69 """ Reading <https://www.joyent.com/blog/pkgsrc-2014q4-lts-signed-packages-and-more> one more time I see: """ We will continue to produce the other quarterly releases (SmartOS 15.1.x images and onwards), so that users can get the latest packages available, but each of those releases will be closed for updates as soon as the next one is available. """ Reading that, looks like 16.3.1 should receive security updates until 16.4 is released. """ Latest quarterly releases are for everyone else, users who want the latest stuff (and the latest security fixes), and are happy to reprovision their applications onto the newest images at regular intervals. """ "And the latests security fixes" seems to confirm my impression. I am wondering what is going on, if this is regular business and if 15.4 is better supported for security updates. I am using quarterly images because they are suppose to be "up to date", but I could use only yearly "LTS" releases if security updates are more timely. I have made a huge investment to be able to "redeploy" my environment in minutes to take advantage of quarterly releases, but security is a major concern too. When I asked those questions in the chat room months ago I was said that a typical vulnerability could take a couple of weeks "only". I fully realize than I am not paying anything for SmartOS, but I could consider donating time and expertise to improve the situation if I can make any difference. How can I help? Does pkgsrc upstream addresses this timely? Thanks. PS: SmartOS is impressive. Good work. I just need to know what to expect :-) -- Jesús Cea Avión _/_/ _/_/_/ _/_/_/ [email protected] - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/ Twitter: @jcea _/_/ _/_/ _/_/_/_/_/ jabber / xmpp:[email protected] _/_/ _/_/ _/_/ _/_/ _/_/ "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/ "El amor es poner tu felicidad en la felicidad de otro" - Leibniz
signature.asc
Description: OpenPGP digital signature
------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
