packages security fixes

[Martillo]

Just a question: Do security fixes get to the packages repository of the release so we can update them with pkg_add -u?

I mean between releases, I know that after upgrading from 5.3 to 5.4 I will have to run pkg_add -u. What happens in those six month between them?

[jggimi]

This is a good question. In the past, the answer would have been yes. And it is still possible in the future. But at this time, it is my understanding that the Project does not have the resources to supply packages for all architecutures when -stable ports are developed. You can build them yourself, from the ports tree, or you may obtain them from M:Tier, a third party organization that builds -stable systems and -stable packages for the convenience of the community.

[Martillo]

Do M:Tier packages integrate in the package system so that they can be pkg_delete'd or pkg_add -u(pdated)?

[jggimi]

I have never used their services, but I assume they must do so. I cannot imagine them doing it any other way, since the ports tree is 1) there, 2) works, 3) the ports maintainers would have already done all the development, and 4) is the only way to install and deinstall third party applications and libraries.

[Martillo]

I will give them a try.

[albator]

Quote:

Originally Posted by Martillo

Do M:Tier packages integrate in the package system so that they can be pkg_delete'd or pkg_add -u(pdated)?

They provide a shell script called openup.
Looking at it shows it uses pkg_add -u :

Code:

$ grep "pkg_add -u" openup    
	_CMD="pkg_add -u ${pkg_opt}"

They mix two repositories :

Code:

$ egrep "MAIN|UPDATE"  openup      
PKG_PATH_MAIN="http://ftp.fr.openbsd.org/pub/OpenBSD/$(uname -r)/packages/$(arch -s)"
PKG_PATH_UPDATE="https://stable.mtier.org/updates/$(uname -r)/$(arch -s)"
export PKG_PATH=${PKG_PATH_UPDATE}:${PKG_PATH_MAIN}

Be aware though that if you use this tool, jggimi will say he cannot help you no more. ;-)
Only joking, thanks jggimi for helping me several times.

[Martillo]

Thanks a lot!

[shep]

Quote:

They provide a shell script called openup.
Looking at it shows it uses pkg_add -u :

You do not have to use the openup shell script.

You can download and add the M:tier ssl certificate and adjust your PKG_PATH as described in the M:tier documentation. Using this approach, you still have to patch the kernel and base as before but have access to the updated packages for the 6 month life of the release.

See this prior thread for adding the mtier.cert. My updates so far include firefox, ImageMagick, libtar and gnupg. All have gone smoothly.

[Martillo]

Well, after coming back to OpenBSD I tried M:tier. So far so good!

[Martillo]

There is something different: pkg_info -Q <string> only searches packages that start with the string supplied while the standard repos search the keyword in the whole packages' name regardless its position.

[shep]

If you noted this looking for M:tier pkg updates via

Code:

pkg_add -u

which matches every installed pkg, there is an alternative.

I follow M:tier Update Web Page and if a new update shows up I use grep to see if I have the pkg that needs updating.

For example there were two recent cups-filters updates

Quote:

cyrus-imapd — security fix
haproxy — security fix
cups-filters — security fix
polkit — security update
libxml — security fix
ruby — security fix
pcre — security fix
wesnoth — security fixes
cups-filters — security fix
libwmf — security fix

$ PooBear$ pkg_info | grep cups
cups-libs-2.0.3 CUPS libraries and headers
PooBear$


I use lpr without foomatic-rip so I never installed cups-filters. If I was using foomatic-rip, I would run:
# pkg_add -u cups-filters


[Martillo]

Nevermind, the last try I made of pkg_info -Q <string> works as expected with M:tier repositories. Only God knows what happened yesterday...