[SOLVED] slackware-security ML is being incomplete

ndr · 06-15-2017, 07:31 AM

It's happening more and more often, lately, that the slackware-security mailing list fails to announce some of the package updates. I find out when I give `slackpkg upgrade-all` and unexpected packages appear in the list (for example, today it's `pkg-config`: updated, not announced).

So, being paranoid

, I go and check the Changelog to see if the package has indeed been updated, or if something fishy is going on within my preferred mirror.

I wonder if should I give up on the mailing list and check the Changelog directly...

How does everyone keep up with the latest security news for Slackware?

GazL · 06-15-2017, 07:46 AM

pkg-config update was likely not security related, but yes, just keep an eye on the changelog instead. I've never subscribed to the ML.

magicm · 06-15-2017, 07:51 AM

First, I don't know for sure, but I expect that the slackware-security mailing list only mentions updates that are 'security-related' (for all I know, it might even require a CVE id). I rely on it to tell me that there is a security issue that has been patched.

But when something is patched, it doesn't mean that it is patched for a security bug. As slackpkg doesn't have an "upgrade-security" option, "upgrade-all" will pick up all that's been patched. Checking ChangeLog.txt is always appropriate, but I don't see an issue with waiting for the mailing list, to tell me I "should" update.

In the example you give, the ChangeLog.txt says

Code:

patches/packages/pkg-config-0.29.2-x86_64-1_slack14.2.txz:  Upgraded.
  This is a bugfix release, and is needed for some updates on slackbuilds.org
  to compile properly. Thanks to Willy Sudiarto Raharjo.

I don't see a security reason, there.

willysr · 06-15-2017, 10:56 AM

pkg-config-0.29.2 is needed to build latest version of filezilla in SBo, so i asked Patrick after investigating whether the new version is safe to be included in -stable or not. It's purely bug fixes, so it wasn't listed in slackware-security mailing list.

drgibbon · 06-16-2017, 08:44 AM

Quote:

Originally Posted by ndr

How does everyone keep up with the latest security news for Slackware?

RSS. If you wanted I'm sure you could filter/tag for security, etc.