Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 10 Apr 2001 20:04:21 -0700
From:      Michael Bryan <fbsd-secure@ursine.com>
To:        freebsd-security@FreeBSD.ORG
Subject:   Re: Security Announcements?
Message-ID:  <3AD3C9B5.1DC86C19@ursine.com>
References:  <XFMail.010410154347.nmh@daemontech.com>

next in thread | previous in thread | raw e-mail | index | archive | help


Nicole Harrington wrote:
>
>  As someone who runs many production level servers here is what I would want
>  In order:
> 
>  [...]
>
>  2) A binary patch.  Similiar to the Linux RPM.s  and the BSDi patches.
>   Just download and run. No compiles no installs.

I fully agree.  In my opinion, it would be the single most helpful
improvement to the FreeBSD bug fix process.  It is much, much, much
easier to rollout (install/test/approve) a binary patch of just the
affected software, rather than making systems track -STABLE, or even
doing what I do now, which is to do "spot builds" of the affected
software and create my own crude-but-effective installs to send out
to all the affected servers.  [And some things like kernel fixes
would obviously not be doable without a manual compile/install of
a new kernel, but that doesn't nullify the effectiveness in cases
where you can do binary patches.]

It also helps solve another problem that comes up everytime BIND or
some other software goes through this process --- the fact that one
of the easiest ways to currently upgrade is to use the version in the
ports tree, but the pieces get installed in different/conflicting
locations than the same components in the base system install, unless
you tweak the prefixes (and sometimes other things) when you build
the port.

I know that there are ways to get around those issues using -STABLE,
knowing the "make prefix=" magic, and other things, but there are so
many times that something like this comes up, and we get another round
of questions and confusion about the update process.  That tells me
that the current process is not really good enough, and needs improving.

And yeah, I know --- it takes time, money, people, systems, etc to be
able to provide those services to the community, and somebody will need
to provide those resources in order to make it happen.  I don't know...
maybe I can work out something and do some measure of this myself, but
I'd have to talk with my employer, and then maybe discuss things with
Kris, and I'm not particularly hopeful that I can personally spare enough
of myself to do an effective job of it.  But I am going to think about
it...

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AD3C9B5.1DC86C19>