Date: Sat, 27 Sep 2003 22:54:26 +0200 From: "Devon H. O'Dell" <dodell@sitetronics.com> To: "V. Jones" <vjones62@earthlink.net> Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Patch question Message-ID: <3F75F902.9040102@sitetronics.com> In-Reply-To: <11778415.1064691636010.JavaMail.root@skeeter.psp.pas.earthlink.net> References: <11778415.1064691636010.JavaMail.root@skeeter.psp.pas.earthlink.net>
next in thread | previous in thread | raw e-mail | index | archive | help
V. Jones wrote: >Thanks to everyone who responded - my question really had more to do with applying patches as they are presented in the various security advisories. It sounds like most of you don't do it that way; it sounds like you track freebsd-stable using cvsup. However, section 21.2.2.2 of the handbook seems to advise against doing this when all you want to do is apply security fixes: > >"While it is true that security fixes also go into the FreeBSD-STABLE branch, you do not need to track FreeBSD-STABLE to do this. Every security advisory for FreeBSD explains how to fix the problem for the releases it affects [1] , and tracking an entire development branch just for security reasons is likely to bring in a lot of unwanted changes as well." > >My intention is to apply the patches as instructed in the advisories. I'll resolve my issues with pgp so that I can validate the files first, then apply them one at a time. > > I do not track FreeBSD-STABLE (on my production boxes) and don't really advise people running production servers to run the -STABLE branch. FreeBSD-STABLE is another development branch; the stabilization branch, as it were. The handbook advises against it because it's a development branch and isn't meant for production servers. The most stable FreeBSD you can get is a -RELEASE snapshot. All security advisories are tracked for the -RELEASE snapshot. If you're tracking 4.8-RELEASE, you'd simply have RELENG_4_8 in your supfile. This is, as far as I've been able to tell in my past 5 years of experience with FreeBSD, the recommended way of doing things. Then again, I don't blame you for wanting to validate every patch :) --Devon
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F75F902.9040102>