From owner-freebsd-security@FreeBSD.ORG Sat Sep 27 14:18:43 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 97B9516A4B3 for ; Sat, 27 Sep 2003 14:18:43 -0700 (PDT) Received: from amsfep14-int.chello.nl (amsfep14-int.chello.nl [213.46.243.22]) by mx1.FreeBSD.org (Postfix) with ESMTP id 09EFE43FAF for ; Sat, 27 Sep 2003 14:18:42 -0700 (PDT) (envelope-from dodell@sitetronics.com) Received: from sitetronics.com ([213.46.142.207]) by amsfep14-int.chello.nl (InterMail vM.5.01.05.17 201-253-122-126-117-20021021) with ESMTP id <20030927205631.BQRB4348.amsfep14-int.chello.nl@sitetronics.com>; Sat, 27 Sep 2003 22:56:31 +0200 Message-ID: <3F75F902.9040102@sitetronics.com> Date: Sat, 27 Sep 2003 22:54:26 +0200 From: "Devon H. O'Dell" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030820 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "V. Jones" References: <11778415.1064691636010.JavaMail.root@skeeter.psp.pas.earthlink.net> In-Reply-To: <11778415.1064691636010.JavaMail.root@skeeter.psp.pas.earthlink.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Patch question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Sep 2003 21:18:43 -0000 V. Jones wrote: >Thanks to everyone who responded - my question really had more to do with applying patches as they are presented in the various security advisories. It sounds like most of you don't do it that way; it sounds like you track freebsd-stable using cvsup. However, section 21.2.2.2 of the handbook seems to advise against doing this when all you want to do is apply security fixes: > >"While it is true that security fixes also go into the FreeBSD-STABLE branch, you do not need to track FreeBSD-STABLE to do this. Every security advisory for FreeBSD explains how to fix the problem for the releases it affects [1] , and tracking an entire development branch just for security reasons is likely to bring in a lot of unwanted changes as well." > >My intention is to apply the patches as instructed in the advisories. I'll resolve my issues with pgp so that I can validate the files first, then apply them one at a time. > > I do not track FreeBSD-STABLE (on my production boxes) and don't really advise people running production servers to run the -STABLE branch. FreeBSD-STABLE is another development branch; the stabilization branch, as it were. The handbook advises against it because it's a development branch and isn't meant for production servers. The most stable FreeBSD you can get is a -RELEASE snapshot. All security advisories are tracked for the -RELEASE snapshot. If you're tracking 4.8-RELEASE, you'd simply have RELENG_4_8 in your supfile. This is, as far as I've been able to tell in my past 5 years of experience with FreeBSD, the recommended way of doing things. Then again, I don't blame you for wanting to validate every patch :) --Devon