From owner-freebsd-stable@FreeBSD.ORG Mon May 22 14:14:33 2006 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CE28F16AAF8 for ; Mon, 22 May 2006 14:14:33 +0000 (UTC) (envelope-from noackjr@alumni.rice.edu) Received: from smtp107.biz.mail.mud.yahoo.com (smtp107.biz.mail.mud.yahoo.com [68.142.200.255]) by mx1.FreeBSD.org (Postfix) with SMTP id 2615043D7C for ; Mon, 22 May 2006 14:13:28 +0000 (GMT) (envelope-from noackjr@alumni.rice.edu) Received: (qmail 56403 invoked from network); 22 May 2006 14:12:41 -0000 Received: from unknown (HELO optimator.noacks.org) (noackjr@supercrime.org@24.99.22.177 with login) by smtp107.biz.mail.mud.yahoo.com with SMTP; 22 May 2006 14:12:40 -0000 Received: from localhost (localhost [127.0.0.1]) by optimator.noacks.org (Postfix) with ESMTP id DD4BD6143; Mon, 22 May 2006 10:12:38 -0400 (EDT) X-Virus-Scanned: amavisd-new at noacks.org Received: from optimator.noacks.org ([127.0.0.1]) by localhost (optimator.noacks.org [127.0.0.1]) (amavisd-new, port 10024) with LMTP id iWo+yoC0YJcA; Mon, 22 May 2006 10:12:37 -0400 (EDT) Received: from compgeek.noacks.org (compgeek [192.168.1.10]) by optimator.noacks.org (Postfix) with ESMTP id 73D9660E8; Mon, 22 May 2006 10:12:37 -0400 (EDT) Received: from [127.0.0.1] (localhost [127.0.0.1]) by compgeek.noacks.org (8.13.6/8.13.6) with ESMTP id k4MECaKY016462; Mon, 22 May 2006 10:12:37 -0400 (EDT) (envelope-from noackjr@alumni.rice.edu) Message-ID: <4471C6CE.2020302@alumni.rice.edu> Date: Mon, 22 May 2006 10:12:30 -0400 From: Jonathan Noack User-Agent: Thunderbird 1.5.0.2 (X11/20060422) MIME-Version: 1.0 To: Steven Hartland References: <4471361B.5060208@freebsd.org> <20060521231657.O6063@abigail.angeltread.org> <009101c67d8c$ee013db0$b3db87d4@multiplay.co.uk> In-Reply-To: <009101c67d8c$ee013db0$b3db87d4@multiplay.co.uk> X-Enigmail-Version: 0.94.0.0 OpenPGP: id=991D8195; url=http://www.noacks.org/cert/noackjr.asc Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig11573943D80BEA6AF373051A" Cc: FreeBSD Stable , Colin Percival , Brent Casavant Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: noackjr@alumni.rice.edu List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 May 2006 14:14:35 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig11573943D80BEA6AF373051A Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 05/22/06 06:45, Steven Hartland wrote: > Brent Casavant wrote: >> On Sun, 21 May 2006, Colin Percival wrote: >=20 >> So, in short, that's why *I* rarely update ports for security reasons.= >> >> There are steps that could be taken at the port maintenance level that= >> would work well for my particular case, however that's beyond the >> scope of the survey. Thanks for taking the time put the survey >> together, I certainly hope it proves useful. >=20 > Perfectly put there Brent portupgrade is all very powerful but: > * Take an absolute age to do anything but the simplest updates > * Often fails and needs significant manual fixing >=20 > Here its usually 100 times quicker to just do: > pkg_info | awk '{print $1}' > packages.txt > cat packages.txt | xargs pkg_delete -f > cat packages.txt | xargs pkg_add -r >=20 > This at least brings you up to a known good set. Alternatively I > also use something similar but build from ports the problem with > that is often the ports need to be built with custom options to get > back to how you started so unless you where very maticuls in > noting down the options to every port on every machine you > installed something often goes wrong :( Dropping security@... The OPTIONS feature stores port preferences and helps a lot with this. Not all ports are converted yet, but that's just a matter of time. My only complaint is that when options are added I'm not prompted for my preference (I just get the default value). I have to go back and manually "make config" if I don't want the default. If automatic prompting for new options is added then we will truly have a "set it and forget it" configuration system. Because I track ports fairly closely and usually catch new options, this hasn't annoyed me enough to fix it...= > On good example of portupgrade "going off on one" is a simple > upgrade of mtr we dont install any X on our machines so mtr-nox11 > is installed. Whenever I've tried portupgrade in the past its > always trolled of and started downloading and build the behemoth > that is X, CTRL+C hence always ensues and I forget about upgrading > until I really HAVE to. You have to tell the ports system you don't want X (put the following in /etc/make.conf): WITHOUT_X11=3D yes There are also ports (like bittorrent) that install GUIs by default. You should also tell the ports system you don't want GUIs: WITHOUT_GUI=3D yes Some ports will still need the X libs (like graphviz), but that's not a huge deal. -Jonathan --=20 Jonathan Noack | noackjr@alumni.rice.edu | OpenPGP: 0x991D8195 --------------enig11573943D80BEA6AF373051A Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFEccbUUFz01pkdgZURAmVkAJ9/XsifsxRIqcA10KpHMEHB7CcR2ACgjVQH u9KWRmjiUymjfBzTziowBww= =fDhe -----END PGP SIGNATURE----- --------------enig11573943D80BEA6AF373051A--