From owner-freebsd-security@FreeBSD.ORG Thu May 9 04:02:00 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 3210C1F9 for ; Thu, 9 May 2013 04:02:00 +0000 (UTC) (envelope-from freebsd-security-local@be-well.ilk.org) Received: from be-well.ilk.org (be-well.ilk.org [23.30.133.173]) by mx1.freebsd.org (Postfix) with ESMTP id 0BDC31B7E for ; Thu, 9 May 2013 04:01:59 +0000 (UTC) Received: from lowell-desk.lan (lowell-desk.lan [172.30.250.41]) by be-well.ilk.org (Postfix) with ESMTP id 6E2C533C2A; Thu, 9 May 2013 00:01:54 -0400 (EDT) Received: by lowell-desk.lan (Postfix, from userid 1147) id 28A7439829; Thu, 9 May 2013 00:01:52 -0400 (EDT) From: Lowell Gilbert To: Roberto Subject: Re: packages (binary) update best practice References: Date: Thu, 09 May 2013 00:01:52 -0400 In-Reply-To: (Roberto's message of "Tue, 7 May 2013 11:16:48 +0200") Message-ID: <44vc6s243z.fsf@lowell-desk.lan> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 May 2013 04:02:00 -0000 Roberto writes: > Hi all, > I have update recently to freebsd 9.1 via freebsd-update and I was quite > happy with the process and the instructions on freebsd-handbook, I think > well documented. > > But I would like to understand what is the best practice to update the > ports too as I used the package tools (pkg_add -r) to add few package to > the base install. Keeping in mind my server have disk space constrain > (small disk install) I would ask an opinion about the followings methods to > upgrade packages after a freebsd upgrade (in this case from 9.0 to 9.1): > > 1) perform > > # pkg_delete > and then > # pkg_add -r > > for each of them ? (I think about some package depends on other, this could > create some little problem); > > 2) perform > # pkg_add -F > (not tried yet) and overwrite the already installed pkg ? > > 3) have a separate server on which create an update pkg from ports (ie from > source) ? > > 4) use the new package system pkgng, converting the existing installation ? > (this operation is not reversible, so I am waiting before doing this) > > I would have some ideas on this topic please, from a security perspective; >From a security perspective, there is little difference between these options. Using pkgng or not is completely irrelevant. Building your own packages in combination with portsnap would allow you to have cryptographic checks on the validity of what you download. The security concerns closed by this are relatively minor, but for both that and convenience reasons I'd recommend portsnap in the absence of any specific reasons to use anything else to get your ports tree. Also for convenience reasons, I would recommend using an upgrade tool, such and portmaster or portupgrade.