Date: Mon, 21 Apr 2003 04:04:10 +0100 From: Colin Percival <colin.percival@wadham.ox.ac.uk> To: Ryan Thompson <ryan@sasknow.com> Cc: Colin Percival <colin.percival@wadham.ox.ac.uk> Subject: Re: patching a production system Message-ID: <5.0.2.1.1.20030421034142.03783e60@popserver.sfu.ca>
next in thread | raw e-mail | index | archive | help
Ryan Thompson wrote: >Chaos Golubitsky wrote to freebsd-questions@freebsd.org: > > (a) (I think the answer is no, but would love to hear otherwise): > > Do i have an alternative to maintaining a source tree on this > > machine? > >Assuming you're running on i386 hardware, and staying current, binary >patches are released for most security advisories. For more >information, look at the advisories themselves, which will direct you >to excellent information on how they may be applied. The security team tends to release binary patches only when the set of affected files is both small and obvious. The sendmail issues, for example, only required that /usr/libexec/sendmail/sendmail be fixed; the xdr and openssl patches, however, effected a larger number of files, and no binary patches were provided for those. That said, I'm building binary security updates for i386 4.7-RELEASE and 4.8-RELEASE; the code for fetching and installing these updates is in /usr/ports/security/freebsd-update/ (thanks nork!), and more details are available at http://www.daemonology.net/freebsd-update/. This code will keep your machine up to date as if you were using cvsup to track the RELENG_4_x tree and buildworlding, with the side benefit that installing the binary updates is faster than a complete installworld. Colin Percival
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.0.2.1.1.20030421034142.03783e60>