From owner-freebsd-hackers@FreeBSD.ORG Wed Nov 10 17:45:38 2004 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5439216A4CE; Wed, 10 Nov 2004 17:45:38 +0000 (GMT) Received: from pimout1-ext.prodigy.net (pimout1-ext.prodigy.net [207.115.63.77]) by mx1.FreeBSD.org (Postfix) with ESMTP id D479343D31; Wed, 10 Nov 2004 17:45:35 +0000 (GMT) (envelope-from julian@elischer.org) Received: from [192.168.1.102] (adsl-68-123-122-146.dsl.snfc21.pacbell.net [68.123.122.146])iAAHj1GO063288; Wed, 10 Nov 2004 12:45:28 -0500 Message-ID: <4192539C.6040403@elischer.org> Date: Wed, 10 Nov 2004 09:45:00 -0800 From: Julian Elischer User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8a3) Gecko/20041017 X-Accept-Language: en, hu MIME-Version: 1.0 To: Xin LI References: <20041110173511.GA2940@frontfree.net> In-Reply-To: <20041110173511.GA2940@frontfree.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-hackers@freebsd.org cc: freebsd-security@freebsd.org Subject: Re: Is there any way to know if userland is patched? X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Nov 2004 17:45:38 -0000 Xin LI wrote: > Dear folks, > > I'm recently investigating large scale deployment and upgrading FreeBSD > RELEASE. It's our tradition to bump "RELEASE-pN" after a security patch > is applied, however, it seems that there is less method to determine > whether the userland is patched, which is somewhat important for large > site managements. > > So is "uname -sr" the only way to differencate the patchlevel of a security > branch? I have read Colin's freebsd-update script and to my best of > knowledge this is the only way (and, on condition that we have re-compiled > the kernel and installed it, and reboot'ed). Given the nature of a security > or errata branch, we can expect that no API/ABI changes will occour and it > should be safe to do make installworld/installkernel in any order, and bumping > patchlevel does not mean that a reboot must be done. > > Please correct me if I was wrong, thanks. I upgrade systems by creating packages which contain all upgraded files I have a set of makefiles etc. checked into my local CVS tree that check out a freeBSD tree at a given revision and build it (withlocal patches added) and then extracts out fies according to a list I supply. On completion I check the list in too, so I can theoretically recreate that patch.. I use the package system to keep track of which packages are loaded onto a system, and newer upgrade packages always have earlier ones as dependencies.. > > Cheers,