From owner-freebsd-questions Mon May 27 4:37: 7 2002 Delivered-To: freebsd-questions@freebsd.org Received: from icarus.slightlystrange.org (icarus.slightlystrange.org [62.190.193.173]) by hub.freebsd.org (Postfix) with ESMTP id 96FB337B400 for ; Mon, 27 May 2002 04:37:03 -0700 (PDT) Received: from danielby by icarus.slightlystrange.org with local (Exim 3.12 #1 (Debian)) id 17CIo9-0006Mh-00 for ; Mon, 27 May 2002 12:37:01 +0100 Date: Mon, 27 May 2002 12:37:01 +0100 From: Daniel Bye To: freebsd-questions@FreeBSD.ORG Subject: Re: Security update howto? Message-ID: <20020527113701.GA24194@icarus.slightlystrange.org> Reply-To: dan@slightlystrange.org Mail-Followup-To: freebsd-questions@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.27i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, May 26, 2002 at 02:36:47PM -0700, Mark Edwards wrote: > I've got an install of FreeBSD 4.5 running along quite nicely and I'm > subscribed to the security mailing list. Every once in a while I get a > security notice that recommends "Upgrade your vulnerable system to > 4.5-STABLE or the RELENG_4_4 or RELENG_4_5 security branch dated after the > respective correction dates." > > I've looked around for more info on this, and I'm still a bit confused. > What is the best way to stay on top of security updates on FreeBSD? I just > want a no-hassle update to stay on top of this stuff. Am I supposed to use > CVS to download new source and rebuild from that? I've used CVS to update > my /usr/ports directory with no problem. Is there a way to do a binary > update for security purposes only? > > Where do I go for clear-cut information on this process? > Hi Mark, I use cvsup to stay on top of this. Use the tag RELENG_4_5. Once you have synchronised your source, you can either do a make world (see ch9 and 19 in the handbook for details) and rebuild the entire base system and kernel, or you can simply rebuild the affected application (I think they provide instructions with each security bulletin). The make world is probably the safest way to do it, as that way you know you are getting all changes merged into the source tree since your last rebuild. There is an experimental binary-only upgrade path in testing - if you use it, you are expected to provide feedback on how you find it. I have not tried it, so can't comment on any benefits it might offer over doing it all manually. You can get more details in section V.3 of the latest security notification (bzip2). I don't think you will get a truly hassle-free way of doing it - you will have to invest a certain amount of effort to stay up to date, but it soon becomes second nature, and is certainly worth it in the long run. Dan -- Daniel Bye PGP Key: ftp://ftp.slightlystrange.org/pgpkey/dan.asc PGP Key fingerprint: 3D73 AF47 D448 C5CA 88B4 0DCF 849C 1C33 3C48 2CDC _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message