From owner-freebsd-questions@FreeBSD.ORG Wed Mar 1 19:36:40 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9FF5516A420 for ; Wed, 1 Mar 2006 19:36:40 +0000 (GMT) (envelope-from bsd-unix@comcast.net) Received: from rwcrmhc12.comcast.net (rwcrmhc12.comcast.net [216.148.227.152]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5F7F543D46 for ; Wed, 1 Mar 2006 19:36:40 +0000 (GMT) (envelope-from bsd-unix@comcast.net) Received: from kt.weeble.com (c-68-56-224-228.hsd1.fl.comcast.net[68.56.224.228]) by comcast.net (rwcrmhc12) with SMTP id <20060301193638m12001h02ce>; Wed, 1 Mar 2006 19:36:39 +0000 Date: Wed, 1 Mar 2006 14:37:52 -0500 From: Randy Pratt To: chris@chrismaness.com Message-Id: <20060301143752.aafe3226.bsd-unix@comcast.net> In-Reply-To: <50124.67.126.165.122.1141236591.squirrel@squirrel.kq6up.org> References: <43EA9782.7060708@chrismaness.com> <20060208203027.H73762@tripel.monochrome.org> <50124.67.126.165.122.1141236591.squirrel@squirrel.kq6up.org> X-Mailer: Sylpheed version 2.2.0 (GTK+ 2.8.12; i386-portbld-freebsd6.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: Tracking Security in Ports and Base System X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Mar 2006 19:36:40 -0000 On Wed, 1 Mar 2006 10:09:51 -0800 (PST) chris@chrismaness.com wrote: > > On Wed, 8 Feb 2006, Chris Maness wrote: > > > >> How should I set up cvsup to just track security updates for ports. And > would the best thing to do after I synced CVS, do portupgrade -a so > that everything selected gets rebuilt. > > > > I'm not sure there is a way to do this for ports, other than manually > checking what's been changed and whether you consider that to be a > security upgrade, then upgrading each applicable port by hand. As far as > I understand, there is only one tag for ports ("tag=."), which gets you > the "current" ports tree. I *can* guarantee that others know more about > this than I do. There is a port which does this for you (security/portaudit): portaudit provides a system to check if installed ports are listed in a database of published security vulnerabilities. After installation it will update this security database automatically and include its reports in the output of the daily security run. > >> What is the equivalent for the base system? > > > > Much simpler: just track RELENG_your_release to get security updates and > bug fixes and nothing else. For example, mine is RELENG_5_4 and > > therefore tracks 5.4-RELEASE. Additionally, I'd suggest subscribing to one of these mailing list so that you are notified when a SA is issued: security-advisories@freebsd.org freebsd-announce@freebsd.org HTH, Randy --