slackware-security ML is being incomplete
 

It's happening more and more often, lately, that the slackware-security mailing list fails to announce some of the package updates. I find out when I give `slackpkg upgrade-all` and unexpected packages appear in the list (for example, today it's `pkg-config`: updated, not announced).

So, being paranoid :scratch:, I go and check the Changelog to see if the package has indeed been updated, or if something fishy is going on within my preferred mirror.

I wonder if should I give up on the mailing list and check the Changelog directly... :study:

How does everyone keep up with the latest security news for Slackware?

pkg-config update was likely not security related, but yes, just keep an eye on the changelog instead. I've never subscribed to the ML.

First, I don't know for sure, but I expect that the slackware-security mailing list only mentions updates that are 'security-related' (for all I know, it might even require a CVE id). I rely on it to tell me that there is a security issue that has been patched.

But when something is patched, it doesn't mean that it is patched for a security bug. As slackpkg doesn't have an "upgrade-security" option, "upgrade-all" will pick up all that's been patched. Checking ChangeLog.txt is always appropriate, but I don't see an issue with waiting for the mailing list, to tell me I "should" update.

In the example you give, the ChangeLog.txt says
I don't see a security reason, there.

pkg-config-0.29.2 is needed to build latest version of filezilla in SBo, so i asked Patrick after investigating whether the new version is safe to be included in -stable or not. It's purely bug fixes, so it wasn't listed in slackware-security mailing list.

RSS. If you wanted I'm sure you could filter/tag for security, etc.