Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 26 Jul 2001 12:22:25 -0500
From:      Scott Johnson <sjohn@airlinksys.com>
To:        freebsd-security@FreeBSD.ORG
Subject:   Re: [Q] distribution of patched binaries for security fixes.
Message-ID:  <20010726122225.A59848@sjohn.airlinksys.com>
In-Reply-To: <OF4DA81783.35F31A25-ON48256A95.003A491A@allsolutions.com.au>; from David_May@allsolutions.com.au on Thu, Jul 26, 2001 at 06:47:21PM %2B0800
References:  <OF4DA81783.35F31A25-ON48256A95.003A491A@allsolutions.com.au>
index | next in thread | previous in thread | raw e-mail 

Quoth David_May@allsolutions.com.au on Thu, Jul 26, 2001 at 06:47:21PM +0800:
> 
> 
> Hello, I am setting up a FreeBSD machine to track the STABLE branch
> and to rebuild the system from time-to-time. The main reason being to
> keep track of security related fixes and enhancents.The documentation
> covers that quite well.
> 
> But I was wondering what is a good procedure to distribute updated
> binaries to other machines.  I several have production machines that I
> would like to keep up-to-date but do not want to compile source on
> every machine.
> 
> Being able to create something like a Windows NT service pack
> would be nice :)

I just mount /usr/src and /usr/obj read-only from the build machine, and
install.  For kernels, I mount /usr/src only, and build on the target. If
you follow RELENG_4_3 (4.3-RELEASE + security fixes) your life gets much
easier -- no more building world. Just cvsup, build the affected systems
(follow the steps in the security notification), and install on every
machine

build_machine# cvsup -g -L 2 supfile
build_machine# rm -rf /usr/obj/usr/
build_machine# cd /usr/src/affected_component
build_machine# make depend && make all install

target_machine# mount -t nfs build_machine:/usr/src /usr/src
target_machine# mount -t nfs build_machine:/usr/obj /usr/obj
target_machine# cd /usr/src/affected_component
target_machine# make install

If you have a lot of machines to update, rdist + ssh  may simplify things
further, transferring binaries and killing and restarting daemons, etc.

These are production machines, right? Why do you want to track -STABLE,
building and installing world all the time? If it ain't broke, don't fix
it!

-- 
                                 Scott Johnson
                          System/Network Administrator
                                Airlink Systems

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010726122225.A59848>