From owner-freebsd-questions@FreeBSD.ORG Tue Apr 8 18:25:00 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 48CBB37B401 for ; Tue, 8 Apr 2003 18:25:00 -0700 (PDT) Received: from pop.netgate.net (pop.netgate.net [204.145.147.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id CDF8A43FA3 for ; Tue, 8 Apr 2003 18:24:59 -0700 (PDT) (envelope-from ctodd@netgate.net) Received: from rs.netgate.net (rs.netgate.net [204.145.147.55]) by pop.netgate.net (8.11.6p2/8.11.6) with ESMTP id h391OxY09954 for ; Tue, 8 Apr 2003 18:24:59 -0700 (PDT) Date: Tue, 8 Apr 2003 18:24:59 -0700 (PDT) From: Chris Miller To: freebsd-questions@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Questions about patches X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Apr 2003 01:25:00 -0000 I'm looking at replacing BSD/OS with FreeBSD (we're a hosting provider). I've been using FreeBSD for some time now for non-customer servers (Amanda, DNS, Mail) and have maintained/upgraded these servers as needed, typically using cvsup and make world/kernel. To move to a production environment however, I need to create proceedures for keeping these systems up to date with minimal downtime and customer impact. Unfortunately patching in the FreeBSD world is much different than BSD/OS or even RedHat. In the BSD/OS world, patches are supplied for the core OS (including some installed apps) in binary format. Basically a perl script with encoded archives embedded, you just run "perl apply". This doesn't include our own apps like Apache, MySQL, etc that we install separately as they are updated more frequently than Windriver cares to release OS updates. Boo! In the RedHat world, many applications are installed with the OS (not necessarily a good thing) and RedHat does a good job of announcing and releasing patches for these applications in a timely manner. The patches come in rpm format and can even be autoinstalled by a third party utility called autoupdate. In the FreeBSD world however (feel free to jump in and set me straight here) patches seem to only be released for core OS components based solely on CERT advisories. These patches often (but not always) need to be applied to the source tree by running several commands and then by running make world just as upgrading the OS. For example, FreeBSD-SA-03:06.openssl required the whole OS be rebuilt rather than replacing the affected components, whereas FreeBSD-SA-03:07.sendmail was supplied in binary format. I intend on running a "build" server to which all other servers will NFS mount to perform OS upgrades, but I'd prefer not to have to do this for every advisory. I've scoured the FreeBSD site and other resources for a couple of days, but I've found no binary way of patching the OS as I'm accustomed to doing with BSD/OS and RedHat. So my first question is; Is/will there be a better method of patching the core OS in the future that addresses only the affected components? I realize Openssl is a dependancy for many other things in the OS, so I can understand if perhaps this example may require an OS rebuild. Second Question would be; Will FreeBSD supply a patching mechanism that perhaps utilizes a package manager? Now on to the ports and packages. The maintainers of the ports collection appear to do a good job of quickly patching software in the ports collection, but rarely is an announcement made to the list (at least to any of the freebsd lists I subscribe to) which makes it difficult to determine when something has been in fact patched. New packages are released soon after in most cases, but often run several releases behind what is current, ruling out pkg_add as an option. Unfortunately patching a given port (with dependancies) seems to require updating the entire ports tree to the latest versions, then compiling and installing. In some instances we may want to apply a patch to an existing version of an application rather than update it, but this is not possible most of the time. From what I can surmise, the proceedure for patching applications in a multi server environment is to update the ports tree and to build/install/test these on a build server, and then package them up and install them remotely via pkg_add. Questions; 1. Is this the best way to apply patches to applications? 2. Are there any plans to provide a better notification system when applications are patched similar to what RedHat has done with Bugzilla? If there's a better list to send this to, let me know. Regards, Chris