'Re: [OpenPKG-SA-2006.026] OpenPKG Security Advisory (screen)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openpkg-users
Subject:    Re: [OpenPKG-SA-2006.026] OpenPKG Security Advisory (screen)
From:       "Ralf S. Engelschall" <rse () openpkg ! org>
Date:       2006-10-26 18:15:21
Message-ID: 20061026181521.GA77411 () engelschall ! com
[Download RAW message or body]

On Thu, Oct 26, 2006, Adam D. Morley wrote:

> On Thu, Oct 26, 2006 at 08:19:33AM +0200, OpenPKG wrote:
> [snip]
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Affected Series:  Affected Packages:         Corrected Packages:
> > 1.0-ENTERPRISE    n.a.                       >= screen-4.0.3-E1.0.0
> > 2-STABLE-20061018 <= screen-4.0.2-2.20061018 >= screen-4.0.3-2.20061023
> > 2-STABLE          <= screen-4.0.2-2.20061018 >= screen-4.0.3-2.20061023
> > CURRENT           <= screen-4.0.2-20061013   >= screen-4.0.3-20061023
> [snip]
>
> Is the 2-STABLE version the one that would apply to 2.20060622, or did I
> miss a change in security release policy for the STABLE branch?  I'm
> just wondering if 2.20060622 is still getting fixes or not.

I'm sorry that during the current in-progress website updates for
OpenPKG Enterprise and OpenPKG Community, still not all information is
already updated or is at least still not clear and intuitive enough. I
tried hard to summarize the major differences betweeen the now provided
OpenPKG series on the following two pages:

  http://www.openpkg.org/product/series.php
  http://www.openpkg.org/product/series/comparison.php

But, as I said, the information is perhaps still too confusing.
Well, let me summarize it in more prose:

OpenPKG 2-STABLE (package naming scheme "2.YYYYMMDD") and CURRENT
("YYYYMMDD") are progressively changing _branches_ where only the
latest package version is stored on the FTP server (older versions are
automatcially expired, but could be still re-created by developers from
CVS if needed, of course). Following the old release cylce, every 4
months the OpenPKG Foundation e.V. creates a snapshot distribution from
2-STABLE: in June 2006 this was 2-STABLE-20060622 ("2.20060622"), in
October 2006 this was 2-STABLE-20061018 ("2.20061018") and in February
2007 this will be 2-STABLE-200702XX. For the current tentative roadmap
see:

  http://www.openpkg.org/project/events.php

The snapshot distributions are provided for full _reproducability_
within the 4-month life-time of a snapshot and hence update packages for
snapshots ("2.YYYYMMDD") are actually not-expiring _copies_ of packages
from 2-STABLE. As snapshots on a branch are just point-in-time things
and no underlying CVS branch exists, we can maintain only the last
snapshot of a branch via the mentioned "copy update packages from the
branch to the snapshot".

As a result, although we still still keep the older snapshots staying
on the FTP server to not break any scripts in tutorials or similar
documentation, the latest one (currently this is 2-STABLE-20061018)
are security updated only. The previous 2.20060622 snapshot -- since
last Wednesday -- is no longer updated, as it is fully replaced with
2.20061018. BTW, upgrading between snapshots is easy: change your
<prefix>/etc/openpkg/release file from "TAG=2-STABLE-20060622" to
"TAG=2-STABLE-20061018" and perform a "<prefix>/bin/openpkg build
openpkg | sh" plus a "<prefix>/bin/openpkg build -ZaKB | sh". This way
all packages order-correctly updated.

                            - - -

Please understand that the whole 2-STABLE branch and its snapshot
engineering is a well-balanced compromise between an expensive long-term
maintained full release-engineered distribution (like 2.5-RELEASE and
the forthcoming E1.0-RELEASE) and the cheap ultra-fast progressing and
bleeding-edge CURRENT -- mainly constrained by the 100% volunteering
man-power available to the OpenPKG Foundation e.V.

The extremely expensive long-term maintained full release-engineered
OpenPKG Community 2.5-RELEASE distribution is finally redeemed in
November by the similar scoped OpenPKG Enterprise E1.0-RELEASE
distribution. This distribution again has a longer life-cycle of at
least one year and is especially full security updated as fast as
possible and with full update compatibility.

As this obviously is only possible in the long term with
non-volunteering man-power, it is provided as a commercial product
by the OpenPKG GmbH and hence targets business customers only.
Nevertheless, the initial release (packages with release "E1.0.0") of
OpenPKG Enterprise 1 will be freely available downloadable and usable by
anybody for evaluation and easy migration purposes. Only the expensive
back-ported security updates will be available to paying customers only.
Community users receive security updates via the cheaper new vendor
versions only.

                                       Ralf S. Engelschall
                                       rse@engelschall.com
                                       www.engelschall.com

______________________________________________________________________
The OpenPKG Project                                    www.openpkg.org
User Communication List                      openpkg-users@openpkg.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic