From owner-freebsd-current@freebsd.org Wed Mar 21 21:12:48 2018 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3C254F679C8 for ; Wed, 21 Mar 2018 21:12:48 +0000 (UTC) (envelope-from 482254ac@razorfever.net) Received: from pmta21.teksavvy.com (pmta21.teksavvy.com [76.10.157.36]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (Client CN "*.teksavvy.com", Issuer "DigiCert SHA2 High Assurance Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C58EE68753 for ; Wed, 21 Mar 2018 21:12:47 +0000 (UTC) (envelope-from 482254ac@razorfever.net) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A2GKJQAXyrJa/0StpUVdGgEBAQEBAgEBA?= =?us-ascii?q?QEIAQEBAYIIgTUpOANthASIXowtAUIBAQQFAXklNQFekyiBTD0LExIHhA2EIyI?= =?us-ascii?q?2FgECAQEBAQEBAgNoHAxCEAGCFARLLC8BAQEBAQEBAQEBAQEBAQEaAg2BBxUeD?= =?us-ascii?q?0kCJgI7JA0IAQGEfQ0PrFGCIIRZg22BdgUTdodFgQiBMIV7AoEdg0WCVAOYOwg?= =?us-ascii?q?BAoYMiSCBS4N+gkIQhRuHQ4FwhncMgSYjCyeBUh9cgwiFfopsJDqGf4huAQE?= X-IPAS-Result: =?us-ascii?q?A2GKJQAXyrJa/0StpUVdGgEBAQEBAgEBAQEIAQEBAYIIgTU?= =?us-ascii?q?pOANthASIXowtAUIBAQQFAXklNQFekyiBTD0LExIHhA2EIyI2FgECAQEBAQEBA?= =?us-ascii?q?gNoHAxCEAGCFARLLC8BAQEBAQEBAQEBAQEBAQEaAg2BBxUeD0kCJgI7JA0IAQG?= =?us-ascii?q?EfQ0PrFGCIIRZg22BdgUTdodFgQiBMIV7AoEdg0WCVAOYOwgBAoYMiSCBS4N+g?= =?us-ascii?q?kIQhRuHQ4FwhncMgSYjCyeBUh9cgwiFfopsJDqGf4huAQE?= X-IronPort-AV: E=Sophos;i="5.48,341,1517893200"; d="scan'208";a="24931830" Received: from 69-165-173-68.dsl.teksavvy.com (HELO mail.razorfever.net) ([69.165.173.68]) by smtp.teksavvy.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 21 Mar 2018 17:12:46 -0400 Received: from [127.0.0.1] (mail.razorfever.net [192.168.0.4]) by mail.razorfever.net (8.15.2/8.14.9) with ESMTP id w2LLCjGb012064 for ; Wed, 21 Mar 2018 17:12:45 -0400 (EDT) (envelope-from 482254ac@razorfever.net) X-Authentication-Warning: mail.razorfever.net: Host mail.razorfever.net [192.168.0.4] claimed to be [127.0.0.1] To: FreeBSD Current From: "Derek (freebsd lists)" <482254ac@razorfever.net> Subject: freebsd-update: to a specific patch level - help please? Message-ID: Date: Wed, 21 Mar 2018 17:12:45 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-0.4 required=5.0 tests=ALL_TRUSTED, FROM_STARTS_WITH_NUMS,RP_MATCHES_RCVD autolearn=disabled version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on mail.razorfever.net X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Mar 2018 21:12:48 -0000 Hi! I was surprised when using freebsd-update, that there was no way to specify a patch level. In my day to day, I need to ensure security patches are applied. I also need to assess the impact of patches, and ensure consistency (ie. versions) in my environments. This can take time. Here's a story for context, please feel free to skip: We are planning to cut our 10.3-RELEASE infrastructure over to 11.1-RELEASE before the end of the month, because it's EoL in April. We updated and cut over our production load balancer March 6th (and patted ourselves on the back for being ahead of schedule), and within less than 12 hours, updated our backup load balancers. Unfortunately, we're now on ever so slightly different versions (-p6/-p7), and we're not affected by the -p7 problems. This makes my eye twitch slightly, especially when -p7 was the first patch of 2018. Now we need to upgrade our application servers, that are running our trusted code, and -p8 comes out. I'm nervous about just applying -p8, but I definitely want to upgrade to 11.1-RELEASE asap. After assessing the impact of -p8 on our infrastructure, I feel the security risk is relatively low in the short term (and we've waited this long anyway), but I feel the probability of introducing unintended side-effects is high, and want some time to test and asses. /story It would seem to me, for repeatable environments, that binary updates from FreeBSD that can be pinned to specific version are highly desireable. I've gone ahead and created a patch for my use here: https://github.com/derekmarcotte/freebsd/commit/009015a7dda5d1f1c46f4706c222614f17fb535c (there's a 10.3-specific one here: https://github.com/derekmarcotte/freebsd/commit/458879f36ae984add0ff525fb6c2765fcf1fba67 ) I'd be happy to open a PR, and to iterate and improve on this PoC, but if there's no support from the project, I'll keep it to myself. I guess what I'm asking is, for these reasons, is anyone willing to work with me (in mentorship+commit bits) to add this feature (maybe not this particular implementation) to freebsd-update? Thanks! Derek