Re: FreeBSD Patch question

From: Devon H. O'Dell (dodell_at_sitetronics.com)
Date: 09/25/03

  • Next message: Robert Watson: "Re: FreeBSD Patch question" 
    Date: Thu, 25 Sep 2003 21:52:32 +0200
To: "V. Jones" <vjones62@earthlink.net>

    V. Jones wrote:

    >I administer a remote server and want to apply some of the security patches. (I assume this is the best way to go since I can't go into single-user mode to use CVsup).
    >
    >
    First: you can update your system without booting into single-user mode.
    I hope I don't get chewed out for suggesting this, but if there's nobody
    physically *at* your server to do the update for you, you're going to
    have to do it yourself (see below).

    >I have a couple of questions. First, I have installed one of the pgp ports to verify the patches. When I run it, I get this message:
    >
    >
    >
    >>File 'buffer46.patch.asc' has signature, but with no text.
    >>Text is assumed to be in file 'buffer46.patch'.
    >>signature not checked.
    >> Signature made 2003/09/17 18:02 GMT
    >> key does not meet validity threshold.
    >>
    >>
    >
    >
    >
    >>WARNING: Because this public key is not certified with a trusted
    >>signature, it is not known with high confidence that this public key
    >>actually belongs to: "(KeyID: 0xCA6CDFB2)".
    >>
    >>
    >
    >I guess that I need to do some additional set up to get pgp to validate this file. Can anyone tell me where to find a howto on this subject or tell me what to do?
    >
    >
    Sure. IIRC, this just means that you've not marked the person's (KeyID:
    0xCA6CDFB2) signature as trusted. You'll need to connect to a keyserver
    and download the information about the person with KeyID: 0xCA6CDFB2. If
    you trust that you've the right data, you can mark said person as trusted.

    >Second, Do I have apply each patch, then run make after each patch, or can I apply all the patches and just run make once?
    >
    >Any other advice or suggestions on updating a remote system would be appreciated.
    >
    >
    You can apply all the patches and run make one time. If you're not
    interested in rebuilding the entire userland (and you're not installing
    newer versions of userland utilities that rely on an updated kernel),
    you can just run cvsup, download the source, and run make from within
    the desired directories.

    The handbook recommends that one drop into single user mode to build the
    world. While this is certainly best practice, it is by no means
    absolutely necessary. I administer several servers in up to nine time
    zones away from me and, whenever there's a security advisory, I either

    a) rebuild the entire userland and kernel if I've found enough things I
    need to change/tune at kernel level, or
    b) rebuild and install the affected patches (which may actually cause
    option a -- rebuilding the world -- to be a necessity).

    Again, building the world under single-user mode is a highly suggested
    best practice. It is by no means absolutely necessary and I've been
    doing it for a good while with no problems (never had a problem with
    it). I'd be glad to help you out with it privately, if you so wish.

    --Devon

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: Robert Watson: "Re: FreeBSD Patch question"