[OpenIndiana-discuss] OI roadmap (for production)

[Tim Mooney]

In regard to: Re: [OpenIndiana-discuss] OI roadmap (for production), Bob...:

>> Take libpng for example.  The latest OI /dev ships is 1.4.12.  Everything
>> before 1.4.17 is vulnerable to CVE-2015-7981 and CVE-2015-8126.  Let's
>> say that I had just installed a8 today and then updated to a9, so I didn't
>> know whether libpng had been patched or not.  How would I check?
>
> Given the development model of OpenIndiana, I think that it is much more
> likely that the software version is updated based on a formal upstream
> release rather than a security issue being fixed via a patch. Only
> really extreme security issues or well-known issues in valuable
> unmaintained projects are likely to be fixed via a patch.
>
> OpenIndiana is not going to be prepared any time soon to provide security 
> fixes in the way that Red Hat or Debian are able to provide.

You make a good point Bob, and I think you're correct that's the only
option.

The downside is that with many of the components in OI /dev being so far
off of current, a security update is going to often force a minor or
even major version bump, which will potentially cause breaking changes
and in the case of a base library, require a re-link of many applications.
In libpng's case that wouldn't be true since there was a full package
release in the 1.4.x and even 1.2.x series.

The situation is much better for hipster, since it is much closer to
current releases for many more packages.

Tim
-- 
Tim Mooney                                             Tim.Mooney at ndsu.edu
Enterprise Computing & Infrastructure                  701-231-1076 (Voice)
Room 242-J6, Quentin Burdick Building                  701-231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164