From owner-freebsd-questions@FreeBSD.ORG Sun Dec 7 04:13:54 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4B97E16A4CF for ; Sun, 7 Dec 2003 04:13:54 -0800 (PST) Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3676043FBD for ; Sun, 7 Dec 2003 04:13:51 -0800 (PST) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [127.0.0.1]) hB7CD2Nu007242 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 7 Dec 2003 12:13:32 GMT (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)id hB7CD1eF007241; Sun, 7 Dec 2003 12:13:01 GMT (envelope-from matthew) Date: Sun, 7 Dec 2003 12:13:01 +0000 From: Matthew Seaman To: Vahric MUHTARYAN Message-ID: <20031207121301.GA7035@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Matthew Seaman , Vahric MUHTARYAN , freebsd-questions@freebsd.org References: <0c1c01c3bcb2$74576130$110d3ad4@VAHOXP> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="TB36FDmn/VVEgNH/" Content-Disposition: inline In-Reply-To: <0c1c01c3bcb2$74576130$110d3ad4@VAHOXP> User-Agent: Mutt/1.5.5.1i X-Spam-Status: No, hits=-4.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=2.60 X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on happy-idiot-talk.infracaninophile.co.uk cc: freebsd-questions@freebsd.org Subject: Re: for understanding correctly -- Up-to-date - Upgread .. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Dec 2003 12:13:54 -0000 --TB36FDmn/VVEgNH/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Dec 07, 2003 at 01:08:33PM +0200, Vahric MUHTARYAN wrote: > 1) Now I'm using FreeBSD 5.1-RELEASE I don't know how offen new > release announced but When I want to upgread to new release when it > available Which way is true to that ; Binary Update Mechanism to move > from release to release ( using freebsd-update-1.4 ports is correct or > Do you know any ports ) or Using New release CD and using sysinstall > program ...=20 New versions are released approximately every 4 months. 5.2-RELEASE is due in the next few weeks. However, you should subscribe to freebsd-announce@.. or freebsd-security@... so you catch any announcements of new security patches. =20 > 2) Using and installing programs with ports really easy and > really easy to update ports with portupgrade because ports also have > patches for vulnerabillity. But I'm watching the list some programs like > ssh or sendmail are in base system and I have to track those programs > bugs Does it enough to watching Security Advisories from www.freebsd.org > and apply patches for up-to-date base system without sync. entire src. > Tree ...=20 Yes -- security advisories will contain patches for the base system, and very often it will be possible to apply the patches, recompile just the affected part of the system and install the fixed binaries. Sometimes however it won't, and you have to do a full kernel / world build plus install and reboot. Note that the patches in S.A.s always fix the problem, but don't necessarily update version numbers and so forth, so your system may still appear to be potentially vulnerable to those who know no better. > 3) I know that not like linux FreeBSD is structured that the > entire system is avaiable in source form . Does it means When I > download or up-to-date the source via CVSup and use make world at this > moment I have updated , patched and new binaries FreeBSD ?!! =20 FreeBSD (unlike Linux) makes a clear distinction between what is part of the system, and what is externally contributed code -- ie. ports. If you cvsup, recompile and re-install your system then, yes, you will have upgraded to the latest FreeBSD version on whatever branch you choose to track. You will need to update ports and other third party stuff independently of the base system. =20 > 4) Some books thay said that " make world also not a guaranteed > process . I want to ask When I have high-profile production server Does > it true to use make world ?! Whats the way to protect/up-to-date > high-profile production servers ?!!!=20 For a production server, you should be tracking 4.9-RELEASE. As it's a -RELEASE branch it's been thoroughly tested and known to compile correctly. The only updates you'll get on that branch are security fixes, which are usually fairly small. For production servers, you should consider using a separate build/test box, where you can break things without unpleasant consequences. Once you've got things built correctly and tested throughly, you can mount the /usr/src and /usr/obj directories from the build box onto your production server, and quickly reinstall ad reboot with minimum downtime. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --TB36FDmn/VVEgNH/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/0xlNdtESqEQa7a0RApeVAJ9j+/9Ew4vdF0SC8RzkKsbHt2oV/ACcCSdn GoYadx2AubeBTaHxk9b2sgo= =Fj8C -----END PGP SIGNATURE----- --TB36FDmn/VVEgNH/--