From owner-freebsd-questions@FreeBSD.ORG  Sun Apr 20 20:04:14 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E301C37B401
	for <freebsd-questions@freebsd.org>;
	Sun, 20 Apr 2003 20:04:14 -0700 (PDT)
Received: from mta03-svc.ntlworld.com (mta03-svc.ntlworld.com [62.253.162.43])
	by mx1.FreeBSD.org (Postfix) with ESMTP id ABC7343FAF
	for <freebsd-questions@freebsd.org>;
	Sun, 20 Apr 2003 20:04:13 -0700 (PDT)
	(envelope-from colin.percival@wadham.ox.ac.uk)
Received: from piii600.wadham.ox.ac.uk ([81.103.196.4])
	by mta03-svc.ntlworld.comESMTP
	<20030421030412.ZYMR11246.mta03-svc.ntlworld.com@piii600.wadham.ox.ac.uk>;
	Mon, 21 Apr 2003 04:04:12 +0100
Message-Id: <5.0.2.1.1.20030421034142.03783e60@popserver.sfu.ca>
X-Sender: cperciva@popserver.sfu.ca
X-Mailer: QUALCOMM Windows Eudora Version 5.0.2
Date: Mon, 21 Apr 2003 04:04:10 +0100
To: Ryan Thompson <ryan@sasknow.com>
From: Colin Percival <colin.percival@wadham.ox.ac.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
cc: Chaos Golubitsky <walrus+freebsd@glassonion.org>
cc: freebsd-questions@freebsd.org
cc: Colin Percival <colin.percival@wadham.ox.ac.uk>
Subject: Re: patching a production system
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Apr 2003 03:04:15 -0000

Ryan Thompson wrote:
>Chaos Golubitsky wrote to freebsd-questions@freebsd.org:
> > (a) (I think the answer is no, but would love to hear otherwise):
> >     Do i have an alternative to maintaining a source tree on this
> >     machine?
>
>Assuming you're running on i386 hardware, and staying current, binary
>patches are released for most security advisories. For more
>information, look at the advisories themselves, which will direct you
>to excellent information on how they may be applied.

   The security team tends to release binary patches only when the set of 
affected files is both small and obvious.  The sendmail issues, for 
example, only required that /usr/libexec/sendmail/sendmail be fixed; the 
xdr and openssl patches, however, effected a larger number of files, and no 
binary patches were provided for those.
   That said, I'm building binary security updates for i386 4.7-RELEASE and 
4.8-RELEASE; the code for fetching and installing these updates is in 
/usr/ports/security/freebsd-update/ (thanks nork!), and more details are 
available at http://www.daemonology.net/freebsd-update/.  This code will 
keep your machine up to date as if you were using cvsup to track the 
RELENG_4_x tree and buildworlding, with the side benefit that installing 
the binary updates is faster than a complete installworld.

Colin Percival