David, Thank you for your message...
> Aaron W. Hsu wrote: > > >but if you are really concerned about security, pretty much your only > >hope is to either run -CURRENT or track the security updates and > >backport them yourself. > > And then adds: > > >My advice to you would be to just follow -STABLE. > > So, it follows that your advice would be to not be really concerned > about security? In this case, yes. The problem description was a machine on dial-up which was on the network for only one hour per day. This would make it impractical for the user of such a system to download new snapshots or pull in source code changes from CVS fast enough to get real work done after this. The only possible way that the user of such a system could work this in, would be to track the patches himself carefully on ports@ while maintaining the -STABLE branch, and then backport where necessary. Doing so is going to be very troublesome, and likely not worth the effort for this machine. However, like I said, if it really is a concern, then backporting the security issues is a perfectly viable option; doing so will significantly cut into the one hour per day internet allotment. > Most people who use OpenBSD are probably doing so at least in part > because they are very concerned about security. Doesn't that make this > disconnect curious, to say the least? The main -STABLE system is still going to be secure, and as long as the ports are chosen wisely, most of them should be fairly secure as well. Certainly, they will be "good enough" in most cases for the standard desktop user who is planning to do normal work and has their head about them. Not that it would not be nice to have fixes backported on a more reliable basis, but as has been noted in the lists before, this isn't going to happen without some more people. > This thread doesn't inspire any more confidence in -stable ports than I > have gained from the documentation, which has led me to conclude that I > should generally compile and manage my own software on OpenBSD. A > "stable" branch is generally understood to mean "critical security > patches only", not "unmaintained" ... That sounds remarkably troll-ish, but nonetheless, of course one shouldn't have a great deal of confidence in the -STABLE branch of the ports when it comes to security backports, because they are officially unmaintained. Why? No one is there to do it, as has been mentioned before in the lists. They don't have the time to maintain them properly. Going the other way and saying that you should not use the ports system at all is crazy. You can make the security updates yourself as easily as you can manage all the software without the help of the ports framework, so it is still better to run -STABLE and make the necessary updates when they are required. The OpenBSD project has been very clear about what -STABLE means. When it comes to the software distribution, it does mean that critical patches are made, but the more important guarantee of STABLE is that the interfaces, programs, and APIs will not change randomly and unexpectedly, and things will generally behave in a reliable manner. If this is what you implied by the "only" term above, well, okay, but the statement above may say more than is necessary, and certainly says more than what the -STABLE ports are. The -STABLE ports right now has no one who can care for them, and thus, they go mostly unmaintained except for those places where the maintainers of the individual packages care to handle them, and even then, this may not happen in a nice way. -- Aaron W. Hsu <arcf...@sacrideo.us> | <http://www.sacrideo.us> "Government is the great fiction, through which everybody endeavors to live at the expense of everybody else." -- Frederic Bastiat +++++++++++++++ ((lambda (x) (x x)) (lambda (x) (x x))) ++++++++++++++
