On Wed, Aug 30, 2023 at 04:33 Stuart Henderson <stu@spacehopper.org> wrote:
> On 2023/08/30 07:39, Oikei wrote:
> > Hello, I'm new to OpenBSD so im unsure if im doing something wrong or if
> im even posting to the right mailing list
> > It has come to my attention that the net/synapse package is 14 updates
> behind and is vulnerable. I checked openbsd.app and the net/synapse
> package really is 14 updates behind, with it being on 1.76 while the latest
> is 1.90.
> > Checking the source on github:
> https://github.com/openbsd/ports/tree/master/net/synapse
> > it was updated last month and is on 1.89.
On openbsd.app, you'd need to toggle on the "Search -current" setting to
see the newest packages. See <https://www.openbsd.org/faq/faq5.html#Flavors>
for the differences between -release, -stable, and -current (helpful
context for Stuart's detailed explanation and advice below.)
On a related note, if you are using pkg_info(1) on -release or -stable,
you'll want to use `pkg_info -aq` instead of just `pkg_info -q` to search
packages to ensure that -stable versions are included.
> So my question is, why is the latest version in the repos 1.76 when
> looking at the source its on 1.89? Sorry if I totally missed something...
>
> You can't tell from the git mirror*, but if you look in the original
> CVS repo (https://cvsweb.openbsd.org/ports/net/synapse/Makefile)
> you'll see some commits with CVS tags e.g. OPENBSD_7_3 and some
> without.
>
> Those without tags are only in -current snapshots not a release.
>
> Often ports security updates do get backported to the most recent
> OpenBSD release (with binary packages built for some common cpu
> archs), but synapse is a super fast changing target and very
> often requires specific new versions of other ports, so it's not
> a great candidate for that, it's too hard to check that all those
> other updates don't break older versions of other ports.
>
> So if you're running software like this I recommend running
> snapshots and updating both base and all packages fairly often.
Morgan
>
No comments:
Post a Comment