Re: FreeBSD Patch question

From: Devon H. O'Dell (dodell_at_sitetronics.com)
Date: 09/27/03

  • Next message: Bruce M Simpson: "Re: FreeBSD Patch question" 
    Date: Sat, 27 Sep 2003 22:54:26 +0200
To: "V. Jones" <vjones62@earthlink.net>

    V. Jones wrote:

    >Thanks to everyone who responded - my question really had more to do with applying patches as they are presented in the various security advisories. It sounds like most of you don't do it that way; it sounds like you track freebsd-stable using cvsup. However, section 21.2.2.2 of the handbook seems to advise against doing this when all you want to do is apply security fixes:
    >
    >"While it is true that security fixes also go into the FreeBSD-STABLE branch, you do not need to track FreeBSD-STABLE to do this. Every security advisory for FreeBSD explains how to fix the problem for the releases it affects [1] , and tracking an entire development branch just for security reasons is likely to bring in a lot of unwanted changes as well."
    >
    >My intention is to apply the patches as instructed in the advisories. I'll resolve my issues with pgp so that I can validate the files first, then apply them one at a time.
    >
    >
    I do not track FreeBSD-STABLE (on my production boxes) and don't really
    advise people running production servers to run the -STABLE branch.
    FreeBSD-STABLE is another development branch; the stabilization branch,
    as it were. The handbook advises against it because it's a development
    branch and isn't meant for production servers. The most stable FreeBSD
    you can get is a -RELEASE snapshot. All security advisories are tracked
    for the -RELEASE snapshot. If you're tracking 4.8-RELEASE, you'd simply
    have RELENG_4_8 in your supfile. This is, as far as I've been able to
    tell in my past 5 years of experience with FreeBSD, the recommended way
    of doing things.

    Then again, I don't blame you for wanting to validate every patch :)

    --Devon

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: Bruce M Simpson: "Re: FreeBSD Patch question"

    Relevant Pages

    • safest way to upgrade a production server
      ... I'm a newbie admin, responsible for a half-dozen of freebsd servers, most of them production servers. ... We switched from Linux to Freebsd at the beginning of this year, so all of these servers were newly installed in Dec or Jan. ... I know I *should* be upgrading them, but so far I haven't had the nerve. ... I've studied the Upgrading chapter in Absolute FreeBSD, and think what I need to do is patch the systems to the proper errata branch. ...
      (freebsd-questions)
    • Re: FreeBSD Security Advisory FreeBSD-SA-01:24.ssh
      ... >>> Excuse me pointing to a similar point in the last few advisories, ... >> provide security support for the most recent version of FreeBSD ... and since most of the deployed FreeBSD systems are ...
      (FreeBSD-Security)
    • Re: Who are using FreeBSD for Hosting Env. and Which Update Method
      ... I use a similar setting with FreeBSD 5 boxes. ... There is a slight change needed in the Makefile.inc1 for the install ... > we will test it extensibly, before we do it on production servers. ... We first do it to our desktop systems and testservers ...
      (freebsd-isp)
    • Re: How long will 4.x be supported?
      ... In a message dated 1/7/05 4:50:07 PM Eastern Standard Time, ... many are sticking with 4.x for production servers. ... FreeBSD universe is even familiar with new server MBs. ...
      (freebsd-questions)
    • Re: Patching procedures
      ... FreeBSD generally operates by supplying patches to the ... > compile and install from there. ... > production servers. ... > One other major difference between Solaris patches and FreeBSD updates ...
      (freebsd-questions)