From owner-freebsd-questions@FreeBSD.ORG Wed Jan 7 16:09:32 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C349E16A4CE for ; Wed, 7 Jan 2004 16:09:32 -0800 (PST) Received: from smtp-out5.blueyonder.co.uk (smtp-out5.blueyonder.co.uk [195.188.213.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1A44243D54 for ; Wed, 7 Jan 2004 16:09:30 -0800 (PST) (envelope-from andrew@cream.org) Received: from cream.org ([82.41.27.158]) by smtp-out5.blueyonder.co.uk with Microsoft SMTPSVC(5.0.2195.5600); Thu, 8 Jan 2004 00:09:45 +0000 Message-ID: <3FFC9F8C.3040200@cream.org> Date: Thu, 08 Jan 2004 00:08:44 +0000 From: Andrew Boothman User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6b) Gecko/20031205 Thunderbird/0.4 X-Accept-Language: en-us, en MIME-Version: 1.0 To: duanewinner@att.net References: <1073497489.3925.22.camel@closetotheedge> In-Reply-To: <1073497489.3925.22.camel@closetotheedge> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 08 Jan 2004 00:09:45.0850 (UTC) FILETIME=[B907DDA0:01C3D57B] cc: freebsd-questions Subject: Re: staying 'up-to-date' questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jan 2004 00:09:32 -0000 Duane Winner wrote: > I've installed 4.9-RELEASE from the .ISO image. > I just want to be certain that I have all security patches now and in > the future. > > If I have "*default release=cvs tag=RELEASE_4_9" in my cvsup file, will > I get all the updates I need to be secure? No - you'll keep updating your source to 4.9-RELEASE which, while fun, isn't ultimately productive because that's the source you've already got. ;) What you want is something like "tag=RELENG_4_9" which will keep you up-to-date with the latest security and critcal fixes for 4.9-RELEASE or "tag=RELENG_4" which is the -stable development branch and will include not just fixes but also new features and changes as the -stable branch works its way towards the next 4.x release. Tags that you can put in your supfile are listed on http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvs-tags.html and don't forget to read the other sections of the manual about what it means to track one of the development branches. > How do I know when to build a new kernel? How will I know when there is > a security patch for the kernel? > If I cronjob cvsup and rebuild the kernel once a week, will I be up to > date? > How do I know if my running kernel is up-to-date? No - because there might be updates to software outside of the kernel. For example if a security problem is found in sendmail (perish the thought!) or OpenSSH then recompiling your kernel is not going to get them updated. If a security problem is fixed in the kernel then you need to re-compile and re-install the kernel. Otherwise you just need to re-compile the relevent part of the system. Or if you can't be sure what has been touched by a particular update, go for a full "make buildworld/installworld" combo as usual. The other key thing here is the -security-notifications list http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications which will tell you when security problems have been found that effect your system. Then you know when to update your source and/or kernel and/or world. Hope that clarifies things a bit! Andrew