From owner-freebsd-security Thu Jul 26 10:22:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhub.airlinksys.com (mailhub.airlinksys.com [216.70.12.6]) by hub.freebsd.org (Postfix) with ESMTP id 2F58C37B407 for ; Thu, 26 Jul 2001 10:22:34 -0700 (PDT) (envelope-from sjohn@airlinksys.com) Received: from sjohn.airlinksys.com (sjohn.airlinksys.com [216.70.12.7]) by mailhub.airlinksys.com (Postfix) with ESMTP id 7B3D353510 for ; Thu, 26 Jul 2001 12:22:25 -0500 (CDT) Received: by sjohn.airlinksys.com (Postfix, from userid 1000) id 28B265DE4; Thu, 26 Jul 2001 12:22:25 -0500 (CDT) Date: Thu, 26 Jul 2001 12:22:25 -0500 From: Scott Johnson To: freebsd-security@FreeBSD.ORG Subject: Re: [Q] distribution of patched binaries for security fixes. Message-ID: <20010726122225.A59848@sjohn.airlinksys.com> Reply-To: Scott Johnson Mail-Followup-To: freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from David_May@allsolutions.com.au on Thu, Jul 26, 2001 at 06:47:21PM +0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Quoth David_May@allsolutions.com.au on Thu, Jul 26, 2001 at 06:47:21PM +0800: > > > Hello, I am setting up a FreeBSD machine to track the STABLE branch > and to rebuild the system from time-to-time. The main reason being to > keep track of security related fixes and enhancents.The documentation > covers that quite well. > > But I was wondering what is a good procedure to distribute updated > binaries to other machines. I several have production machines that I > would like to keep up-to-date but do not want to compile source on > every machine. > > Being able to create something like a Windows NT service pack > would be nice :) I just mount /usr/src and /usr/obj read-only from the build machine, and install. For kernels, I mount /usr/src only, and build on the target. If you follow RELENG_4_3 (4.3-RELEASE + security fixes) your life gets much easier -- no more building world. Just cvsup, build the affected systems (follow the steps in the security notification), and install on every machine build_machine# cvsup -g -L 2 supfile build_machine# rm -rf /usr/obj/usr/ build_machine# cd /usr/src/affected_component build_machine# make depend && make all install target_machine# mount -t nfs build_machine:/usr/src /usr/src target_machine# mount -t nfs build_machine:/usr/obj /usr/obj target_machine# cd /usr/src/affected_component target_machine# make install If you have a lot of machines to update, rdist + ssh may simplify things further, transferring binaries and killing and restarting daemons, etc. These are production machines, right? Why do you want to track -STABLE, building and installing world all the time? If it ain't broke, don't fix it! -- Scott Johnson System/Network Administrator Airlink Systems To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message