# Why do i have to use latest packages vs quarterly in order to get security updates?



## eternal_noob (Feb 12, 2020)

Hi,

there is a new version of Firefox 73, which fixes some serious bugs, released yesterday.









						Security Vulnerabilities fixed in Firefox 73
					






					www.mozilla.org
				




I wanted to update it but learned that the fixes didn't go to quarterly packages, so i had to change pkg to fetch the latest packages using the instructions here:


			Ports/QuarterlyBranch - FreeBSD Wiki
		


Why is this? I was under the impression that security updates go to quarterly as well?


----------



## SirDice (Feb 13, 2020)

[ports] Index of /branches/2020Q1/www/firefox
					






					svnweb.freebsd.org
				




It takes time to build a truck load of packages for various different versions and architectures of FreeBSD.



			https://pkg-status.freebsd.org/builds?jailname=120amd64


----------



## msplsh (Feb 13, 2020)

From the looks of that page, it seems like they can build selectively and it only takes a couple hours.  Not a particularly good explanation.  Maybe a better question would be why hasn't it been patched into HEAD?


----------



## usdmatt (Feb 13, 2020)

Ports are usually updated by submitting a bug report. If it’s a security issue, there is the option to request the fix is merged to the quarterly branch as well as head.

latest ports are built from ports head (might not actually be called that but I’m on phone and it’s too much of a pain to check). Either way latest should always be built from the most recently committed ports tree. This is why it isn’t the default repo, as a commit to one port could possibly break builds for others that depend on it and using quarterly gives time to spot these issues.

quarterly are built from the quarterly branch. So the real question is, if this is a genuine security related fix, why wasn’t it flagged to be merged into quarterly.

or it was, and just hasn’t had the pkg built yet.


----------



## SirDice (Feb 14, 2020)

msplsh said:


> From the looks of that page, it seems like they can build selectively and it only takes a couple hours.


The "Exp" builds are triggered by submitted patches (notice how they all refer to PR numbers). They are, in essence, test builds. If they fail the patch isn't committed. 



msplsh said:


> Maybe a better question would be why hasn't it been patched into HEAD?


It is. If it wasn't there wouldn't be a package either. Everything starts with a port. All packages are built from ports, always, no exceptions. 






						[ports] Log of /head/www/firefox/Makefile
					






					svnweb.freebsd.org


----------



## T-Daemon (Feb 14, 2020)

It should also be taken into account that the packages repository catalogues (pkg-repo(8)) are updated only every 3 days. Even if a updated/upgraded package is present in the repository it's not available for pkg(8) until the calalogue is updated. This can give the impression a package is not updated/upgraded.

In case of quarterly www/firefox, the latest port update has been committed on February 10th, a package has been placed in the repository on February 12th, the package repository catalogue (meta, digests, packagesite) was updated on February 13th.


----------



## shkhln (Feb 15, 2020)

T-Daemon said:


> a package has been placed in the repository on February 12th, the package repository catalogue (meta, digests, packagesite) was updated on February 13th.



Was it? That sounds kinda unsafe, unless Poudriere keeps old packages around until metadata update. Most likely the package was built 12th and published on 13th.


----------



## T-Daemon (Feb 16, 2020)

Thanks shkhln, I appreciate that you took your time to correct my faulty conclusion. My apologies to all, there is limited information, at least I couldn't find any, concerning the update process of the package repositories. I took as base the information at hand and past experience. I was sure I draw the right conclusions, obviously I was wrong.
@ Sevendogsbsd and @ CyberCr33p you might want to take your thanks back, I got them undeservedly. Again my apologies.


----------



## teo (Feb 16, 2020)

shkhln said:


> Was it? That sounds kinda unsafe, unless Poudriere keeps old packages around until metadata update. Most likely the package was built 12th and published on 13th.


It is, since the system detects the vulnerabilities, and if the package or port repositories are not updated to the latest version, the system cannot fix the vulnerabilities or update the software. I don't use Poudriere because it's too confusing in its configuration, I never could with poudriere.


----------



## shkhln (Feb 16, 2020)

teo said:


> It is, since the system detects the vulnerabilities, and if the package or port repositories are not updated to the latest version, the system cannot fix the vulnerabilities or update the software.



Not that again…


----------

