Date: Thu, 26 Jul 2001 12:22:25 -0500 From: Scott Johnson <sjohn@airlinksys.com> To: freebsd-security@FreeBSD.ORG Subject: Re: [Q] distribution of patched binaries for security fixes. Message-ID: <20010726122225.A59848@sjohn.airlinksys.com> In-Reply-To: <OF4DA81783.35F31A25-ON48256A95.003A491A@allsolutions.com.au>; from David_May@allsolutions.com.au on Thu, Jul 26, 2001 at 06:47:21PM %2B0800 References: <OF4DA81783.35F31A25-ON48256A95.003A491A@allsolutions.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Quoth David_May@allsolutions.com.au on Thu, Jul 26, 2001 at 06:47:21PM +0800:
>
>
> Hello, I am setting up a FreeBSD machine to track the STABLE branch
> and to rebuild the system from time-to-time. The main reason being to
> keep track of security related fixes and enhancents.The documentation
> covers that quite well.
>
> But I was wondering what is a good procedure to distribute updated
> binaries to other machines. I several have production machines that I
> would like to keep up-to-date but do not want to compile source on
> every machine.
>
> Being able to create something like a Windows NT service pack
> would be nice :)
I just mount /usr/src and /usr/obj read-only from the build machine, and
install. For kernels, I mount /usr/src only, and build on the target. If
you follow RELENG_4_3 (4.3-RELEASE + security fixes) your life gets much
easier -- no more building world. Just cvsup, build the affected systems
(follow the steps in the security notification), and install on every
machine
build_machine# cvsup -g -L 2 supfile
build_machine# rm -rf /usr/obj/usr/
build_machine# cd /usr/src/affected_component
build_machine# make depend && make all install
target_machine# mount -t nfs build_machine:/usr/src /usr/src
target_machine# mount -t nfs build_machine:/usr/obj /usr/obj
target_machine# cd /usr/src/affected_component
target_machine# make install
If you have a lot of machines to update, rdist + ssh may simplify things
further, transferring binaries and killing and restarting daemons, etc.
These are production machines, right? Why do you want to track -STABLE,
building and installing world all the time? If it ain't broke, don't fix
it!
--
Scott Johnson
System/Network Administrator
Airlink Systems
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010726122225.A59848>