# Yearly packages repository with security patches ?



## np1 (Mar 30, 2020)

Hi,
I was wondering why only quarterly / latest packages repositories receive security updates.
Is it possible to have a yearly packages repo with security updates applied ?
I don't want to get packages to upgrade version every 3 months.

Thanks a lot,
Best


----------



## SirDice (Mar 30, 2020)

np1 said:


> I was wondering why only quarterly / latest packages repositories receive security updates.


Because that's the only kind we have.



np1 said:


> Is it possible to have a yearly packages repo with security updates applied ?


Only if you set up your own repository and manage everything yourself.


----------



## np1 (Mar 30, 2020)

SirDice said:


> Because that's the only kind we have.
> 
> 
> Only if you set up your own repository and manage everything yourself.



This is not a problem but where can I find the security patches ?
Thx


----------



## SirDice (Mar 30, 2020)

np1 said:


> This is not a problem but where can I find the security patches ?


What security patches are you looking for? If a port has a security issue then that port just gets updated to the new, fixed, version. But obviously only if the issue has actually been resolved upstream.


----------



## np1 (Mar 30, 2020)

Let me share more details on my requirement.
Let's say that I want to stay sticky to 12.1 release_1 packages.
This repo now contains nginx-1.16.1_4,2.txz.
I want to apply the patch from this vuln https://vuxml.freebsd.org/freebsd/87679fcb-be60-11e9-9051-4c72b94353b5.html to it.

Should I copy in the release_1 ports tree the new nginx port taken from quarterly and rebuild everything using poudriere/synth ?
I don't think this will work....
How should I handle this ?

My point is to have a more strict version policy in place, I don't need to have the latest version as far as they don't have any known vulnerabilities...
Let's say something like debian security patch management...

Thx


----------



## SirDice (Mar 30, 2020)

np1 said:


> Let's say that I want to stay sticky to 12.1 release_1 packages.


Don't use that one. Use latest or quarterly.



> This repo now contains nginx-1.16.1_4,2.txz.


Yes, it hasn't been updated since October I believe. Again, don't use that repository.



np1 said:


> My point is to have a more strict version policy in place, I don't need to have the latest version as far as they don't have any known vulnerabilities...


Set up your own repository so you can update what you want, when you want it. 



np1 said:


> Should I copy in the release_1 ports tree


There is no "release_1" ports tree. There's only one ports tree, there are however quarterly branches taken from it. The difference between release_0 and release_1 package repository is that one was built for 12.0 and the other for 12.1. It is however based on the exact same ports tree. All versions of FreeBSD use one and the same ports tree. There are NO version differences between FreeBSD versions like you would have with a Linux distribution (massive changes between RedHat 7 and 8 for example).  



np1 said:


> How should I handle this ?


Set up poudriere with a subversion ports tree. Then in /usr/local/poudriere/ports/default (assuming you're using the 'default' ports tree) you can use subversion to update what you want, or not.


Oh, and that security issue was already fixed some time ago: https://svnweb.freebsd.org/ports?view=revision&revision=508898
It's been fixed in the previous quarterly too. Which is another reason not to use that release_1 repository.


----------

