From owner-freebsd-stable@FreeBSD.ORG Mon May 22 14:45:29 2006 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0F82816A5D1 for ; Mon, 22 May 2006 14:45:29 +0000 (UTC) (envelope-from chowse@charter.net) Received: from mxsf20.cluster1.charter.net (mxsf20.cluster1.charter.net [209.225.28.220]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8937243D72 for ; Mon, 22 May 2006 14:45:21 +0000 (GMT) (envelope-from chowse@charter.net) Received: from mxip04a.cluster1.charter.net (mxip04a.cluster1.charter.net [209.225.28.134]) by mxsf20.cluster1.charter.net (8.12.11/8.12.11) with ESMTP id k4MEjIUD008219 for ; Mon, 22 May 2006 10:45:19 -0400 Received: from 24-176-104-160.dhcp.jcsn.tn.charter.com (HELO [192.168.254.3]) ([24.176.104.160]) by mxip04a.cluster1.charter.net with ESMTP; 22 May 2006 10:45:17 -0400 X-IronPort-AV: i="4.05,157,1146456000"; d="scan'208"; a="1664676820:sNHT56995482" Mime-Version: 1.0 (Apple Message framework v750) In-Reply-To: <4471C6CE.2020302@alumni.rice.edu> References: <4471361B.5060208@freebsd.org> <20060521231657.O6063@abigail.angeltread.org> <009101c67d8c$ee013db0$b3db87d4@multiplay.co.uk> <4471C6CE.2020302@alumni.rice.edu> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Charles Howse Date: Mon, 22 May 2006 09:45:16 -0500 To: FreeBSD Stable X-Mailer: Apple Mail (2.750) Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 May 2006 14:45:34 -0000 On May 22, 2006, at 9:12 AM, Jonathan Noack wrote: > On 05/22/06 06:45, Steven Hartland wrote: >> Brent Casavant wrote: >>> On Sun, 21 May 2006, Colin Percival wrote: >> >>> So, in short, that's why *I* rarely update ports for security >>> reasons. >>> >>> There are steps that could be taken at the port maintenance level >>> that >>> would work well for my particular case, however that's beyond the >>> scope of the survey. Thanks for taking the time put the survey >>> together, I certainly hope it proves useful. >> >> Perfectly put there Brent portupgrade is all very powerful but: >> * Take an absolute age to do anything but the simplest updates >> * Often fails and needs significant manual fixing >> >> Here its usually 100 times quicker to just do: >> pkg_info | awk '{print $1}' > packages.txt >> cat packages.txt | xargs pkg_delete -f >> cat packages.txt | xargs pkg_add -r >> >> This at least brings you up to a known good set. Alternatively I >> also use something similar but build from ports the problem with >> that is often the ports need to be built with custom options to get >> back to how you started so unless you where very maticuls in >> noting down the options to every port on every machine you >> installed something often goes wrong :( > > Dropping security@... > > The OPTIONS feature stores port preferences and helps a lot with this. > Not all ports are converted yet, but that's just a matter of time. My > only complaint is that when options are added I'm not prompted for my > preference (I just get the default value). I have to go back and > manually "make config" if I don't want the default. If automatic > prompting for new options is added then we will truly have a "set > it and > forget it" configuration system. Because I track ports fairly closely > and usually catch new options, this hasn't annoyed me enough to fix > it... > >> On good example of portupgrade "going off on one" is a simple >> upgrade of mtr we dont install any X on our machines so mtr-nox11 >> is installed. Whenever I've tried portupgrade in the past its >> always trolled of and started downloading and build the behemoth >> that is X, CTRL+C hence always ensues and I forget about upgrading >> until I really HAVE to. > > You have to tell the ports system you don't want X (put the > following in > /etc/make.conf): > WITHOUT_X11= yes > > There are also ports (like bittorrent) that install GUIs by default. > You should also tell the ports system you don't want GUIs: > WITHOUT_GUI= yes > > Some ports will still need the X libs (like graphviz), but that's > not a > huge deal. Just curious, where are WITHOUT_X11 and WITHOUT_GUI documented? I don't see either in /usr/share/examples/etc/make.conf, nor in man make.conf.