* On 2017-01-06 at 22:40 GMT, Jesus Cea wrote: > I am wondering what is going on, if this is regular business and if 15.4 > is better supported for security updates. I am using quarterly images > because they are suppose to be "up to date", but I could use only yearly > "LTS" releases if security updates are more timely. I have made a huge > investment to be able to "redeploy" my environment in minutes to take > advantage of quarterly releases, but security is a major concern too. > When I asked those questions in the chat room months ago I was said that > a typical vulnerability could take a couple of weeks "only".
One of the most important things to note is that the vulnerabilities file is updated very quickly, and will often include issues that aren't even fixed in the upstream software yet. The aim is to provide the administrator with as much information as possible, and they can choose to disable the affected software if necessary until the issue is resolved. That said, there will of course be many times when we simply can't keep up with all of the issues. Generally the latest quarterly release will be the most secure because it will have the latest software, and will include backports provided by the pkgsrc-releng team. For LTS releases we (Joyent) need to backport these ourselves, so while we prioritise backports to those branches before the latest quarterly, the latest quarterly should still on the whole have fewer vulnerabilities than any LTS. > I fully realize than I am not paying anything for SmartOS, but I could > consider donating time and expertise to improve the situation if I can > make any difference. How can I help? That would be perfect :) We are always looking for more people to get involved in pkgsrc, and it's the best way they can help. The great thing is that people of all abilities can get stuck in, helping out with everything from trivial package fixes to rewrites of infrastructure and supporting new platforms. If there's something that particularly interests you, ping me on IRC on Monday and I'd be happy to walk you through it to get started. Ideally we'd want contributors to get involved in pkgsrc upstream so that they can commit fixes directly, and I'm happy to sponsor folks who have produced good patches and are interested in joining the project. > Does pkgsrc upstream addresses this timely? We primarily rely on the pkgsrc upstream work by the pkgsrc-releng team for backports, but they only maintain the latest branch, so everything for LTS we need to do ourselves. For important things like OpenSSL I'll tend to do it all myself anyway. Cheers, -- Jonathan Perkin - Joyent, Inc. - www.joyent.com ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
