BSDSec

deadsimple BSD Security Advisories and Announcements

Announcing the pkgsrc-2015Q1 Branch

pkgsrc-2015Q1
=============
The pkgsrc team is proud to announce the availability of the
pkgsrc-2015Q1 branch.  We welcome postgresql 9.4, ruby 2.2, lua 5.3,
xen 4.5, and Tobias Nygren back as a pkgsrc developer.
 
Number of Packages
==================
In pkgsrc, there are:
 
15246 possible pkgsrc packages in pkgsrc-2015Q1 (15510 last quarter)
12619 pkgsrc entries as reported by lintpkgsrc (12449 last quarter)
14896 binary packages built with clang for NetBSD-current/x86_64 (15049 last quarter)
13092 binary packages built with gcc for Joyent's SmartOS/x86_64 (12972 last quarter)
13028 binary packages built with gcc for Joyent's SmartOS/i386
12802 binary packages built with clang for FreeBSD 10.1/x86_64
11224 binary packages built with gcc for Darwin 8.11.0/powerpc
10019 binary packages built with gcc for Darwin 10.8.0/i386
 
In addition, this quarter:
216 packages have been added (156 last quarter)
2 packages have been renamed (4 last quarter)
46 packages removed, 11 with a successor (48 and 9 last quarter)
2007 packages updated (1575 last quarter)

Pkgsrc Release Schedule
=======================
The pkgsrc developers make a new release every three months.  We
believe that this is a sweet spot between too many updates, and
keeping abreast of issues like security vulnerabilities.  Pkgsrc is
not tied to any one operating system or architecture, which gives us
the ability to decouple the releases from any operating system
releases, and to concentrate on the packages themselves.
 
This is the 46th quarterly release of pkgsrc.
 
Changes to pkgsrc
=================
Ryosuke Moro continues to improve our haskell package support.  A
framework for packaging software in Go has been added -- see
pkgsrc/lang/go/go-package.mk, and the github MASTER_SITES handling has
been added.  Many pkgsrc developers and contributors have all helped
with PR submissions, fixes and bug reports.
 
Package Additions
=================
New packages for db6, postgresql 9.4, cmocka, lua 5.3, openjdk8, ruby
2.2, tigervnc, sslsplit, xen 4.5 were added.  We also gained more
perl, python, haskell, and ruby wrappers for many libraries.
 
Package Removals
================
We actively manage the packages in pkgsrc, and delete ones that are
not necessary.  We said goodbye to navi2ch, lc, php 5.3, bind 9.6 and
9.8 and openmotif for this branch.  Package views were also retired.
 
Other Changes
=============
As expected, we have made more progress in integrating cwrappers, and
we expect to complete that next quarter.  We also expect to finish the
integration of signature verification of binary packages and package
vulnerabilities next quarter. The updates to our perl packages was
also notable.
 
Pkgsrc-security
===============
One neat feature of pkgsrc is its ability to sort package versions
based on the version numbers.  It's used in audit-packages, to report
on any installed packages which may have security vulnerabilities in
them.  pkgsrc-security@pkgsrc.org maintains lists of vulnerable
packages, along with reference URLs relating to the exposure.  We
thank the whole pkgsrc-security team for their hard work.  Sample
output from audit-packages is shown below:
 
% audit-packages
Package libtasn1-4.2 has a stack-overflow vulnerability, see http://lists.gnu.org/archive/html/help-libtasn1/2015-03/msg00002.html
%
 
Getting pkgsrc
==============
More information can be found in
        http://www.netbsd.org/docs/pkgsrc/getting.html
 
tar files for pkgsrc, along with checksums, can be found at
        http://ftp.netbsd.org/pub/pkgsrc/pkgsrc-2015Q1/
 
and anonymous cvs can be used:
        cvs -z3 -q -d anoncvs@anoncvs.NetBSD.org:/cvsroot checkout -r 
pkgsrc-2015Q1 -P pkgsrc
 
or by pulling from the git mirror at:
        https://github.com/jsonn/pkgsrc
or the mercurial mirror at:
	https://bitbucket.org/agc/pkgsrc.hg

Joyent provide quarterly binary package sets for SmartOS/illumos,
OS X, and Linux, as well as some quickstart documentation at:
	http://pkgsrc.joyent.com/
The packages are built from their pkgsrc fork available at:
	https://github.com/joyent/pkgsrc
which includes support for experimental features such as
multiarch packages, but may lag behind the git mirror.
 
About pkgsrc
============
pkgsrc is a cross-platform packaging system.  It allows people to
download sources and to build and install binary packages on one or
more platforms.
 
Building packages from source is useful for a number of reasons:
 
+ not only is the provenance of source code checked (by using multiple
digests), with pkgsrc, the version of source code you are working
with is the same that other developers and users have.
 
+ package builders can choose to customise their own installations by
means of the option framework.  pre-built packages from other builders
may not have specified the same options.
 
+ patches are maintained in a central repository, and, again, are
checked at patch application time by using digests. The patches
which are applied to the sources being built are the same ones which
are known to be used and proved by other pkgsrc users (not necessarily
on the same platform).
 
+ by building from source, all doubts about compilers, build practices,
source code cleanliness, and packaging differences are removed. 
Digital signatures of binary packages, while useful in themselves,
only prove certain aspects of binary package provenance. (pkgsrc has
had signed packages since 2001.)
 
+ it may be difficult or impossible to find a pre-built package for
the operating system or architecture.
 
+ a pre-built package may have further or conflicting pre-requisites,
which are themselves difficult to find or build. By building everything,
including pre-requisites, a from-source packaging system can ensure
that pre-requisites are present and integrated.
 
At the present time, pkgsrc supports 22 platforms:
 
        AIX
        BSDOS
        Cygwin
        Darwin/Mac OS X
        DragonFly
        FreeBSD
        FreeMiNT
        GNU/kFreeBSD
        HPUX
        Haiku
        IRIX
        Interix/SFU/SUA
        Linux
        Minix3
        MirBSD
        NetBSD
        OSF1
        OpenBSD
        QNX
        SCO OpenServer
        Solaris/illumos
        UnixWare
 
Complete dependency and pre-requisite package information is held and
used by the package management software - if packages rely on other
packages to function properly, that pre-requisite will be built,
installed and managed as part of the package installation process. 
Binary packages can be managed using pkgin and nih.
 
Alistair Crooks
On behalf of the pkgsrc developers
Thu Apr  2 15:29:23 PDT 2015