From owner-freebsd-stable@FreeBSD.ORG Sat Jun 12 16:14:10 2004 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E825F16A4CE for ; Sat, 12 Jun 2004 16:14:10 +0000 (GMT) Received: from out008.verizon.net (out008pub.verizon.net [206.46.170.108]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8637E43D49 for ; Sat, 12 Jun 2004 16:14:10 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from [192.168.1.3] ([68.161.84.3]) by out008.verizon.net (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP id <20040612161357.NPOD27801.out008.verizon.net@[192.168.1.3]>; Sat, 12 Jun 2004 11:13:57 -0500 Message-ID: <40CB2BC2.4070201@mac.com> Date: Sat, 12 Jun 2004 12:13:54 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040608 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Haim Ashkenazi References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Authentication-Info: Submitted using SMTP AUTH at out008.verizon.net from [68.161.84.3] at Sat, 12 Jun 2004 11:13:57 -0500 cc: freebsd-stable@freebsd.org Subject: Re: keeping my freebsd secure... X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jun 2004 16:14:11 -0000 Haim Ashkenazi wrote: > 1. I need to follow the security advisories to see if there are > vulnerabilities in the base system (I didn't find any regarding 4.10, am I > right?) It's certainly a good idea, yes. There's a list just for security announcements, although anyone who follows CERT or bugtrak or other security lists are likely to see issues appear from various places. Decide whether to follow RELENG_4 or RELENG_4_10. > 2. I installed portaudit to tell me if there are vulnerabilities in the > ports. portaudit is still work-in-progress, but this is also a good idea. > 3. there are some tools (don't remember their names) that automatically > downloads and installs upgrades. portupgrade. [ ... ] > how do I update my ports without breaking anything and without downtime > for important services (apache, mysql, etc...)? the one port I installed > from pre-compiled binary (screen) took 99% cpu, and I had to compile it > so it'll work ok. so how do I upgrade any of the above daemons without > having to uninstall -> compile -> reinstall (which takes a long time). portupgrade does "compile -> uninstall -> reinstall", which interrupts the affected software only for a few seconds. Note that it might still be a good idea to shutdown and restart the service yourself directly. > also, if the PNG library having vulnerabilities (as it is now on my > system) and I update the ports and compile it, do I have to update all the > ports or only this one (will php break if I won't upgrade it)? That depends on whether the newer version of PNG retains shlib backwards-compatibility with the older version. Good software tends to be fine, other software where the authors are less concerned about retaining compatibility with previous versions may require one to recompile dependent ports as well. -- -Chuck