> The point is that for any system that has a publicly facing (internet) part you will have to keep up to date with known vulnerabilities as published in CVEs. Not doing so makes you a prime target to security breaches.

Sure, you have to be aware of them, but for something like this [1], if you don't use SO_REUSEPORT_LB, you don't have to take any further action.

The defect is likely in other FreeBSD releases that are no longer supported, but still, if you don't use SO_REUSEPORT_LB, you don't have to update.

If you do use the feature, then for unsupported releases, you could backport the fix, or update to a supported version. And you might mitigate by disabling the feature temporarily, depending on how much of a hit not using it is for your use case. Like I said, you have to be prepared for that.

You can also do partial updates, like take a new kernel, without touching the userland; or take the kernel and userland without taking any package/ports updates.

Some security advisories cover base userland or ports/packages... we can go through an example one of those and see what decision criteria would be for those, too.

[1] https://www.freebsd.org/security/advisories/FreeBSD-SA-25:09...