Summary: | Installations don't include patches | ||
---|---|---|---|
Product: | Base System | Reporter: | Adam Weinberger <adamw> |
Component: | misc | Assignee: | FreeBSD Release Engineering <re> |
Status: | New --- | ||
Severity: | Affects Many People | CC: | cperciva, lwhsu |
Priority: | --- | ||
Version: | Unspecified | ||
Hardware: | Any | ||
OS: | Any |
Description
Adam Weinberger
2020-06-28 05:35:01 UTC
It's been a year since this PR was filed, so this is a ping. This PR is about distributing fully patched downloads, rather than expecting all installations to run freebsd-update immediately. There's really no common circumstance under which a user would want an unpatched fresh FreeBSD installation. I think the biggest reason to not do this is signatures -- releases are signed by the release engineer, who isn't necessarily involved with the process of issuing security updates. It could be done after the fact by "unrolling" tarballs, applying updates, "rerolling" them, and then re-signing the files, but that seems like a lot of work compared to telling users to apply security updates after they install. (I do have plans to provide pre-patched EC2 images, though, since the speed of getting a new system up and running is more important in cloud platforms.) |