From owner-freebsd-questions@FreeBSD.ORG Mon Dec 19 19:02:10 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B13D416A41F for ; Mon, 19 Dec 2005 19:02:10 +0000 (GMT) (envelope-from pauls@utdallas.edu) Received: from mail.stovebolt.com (mail.stovebolt.com [66.221.101.248]) by mx1.FreeBSD.org (Postfix) with ESMTP id E8C3143D64 for ; Mon, 19 Dec 2005 19:02:09 +0000 (GMT) (envelope-from pauls@utdallas.edu) Received: from [192.168.2.100] (adsl-209-30-154-170.dsl.rcsntx.swbell.net [209.30.154.170]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.stovebolt.com (Postfix) with ESMTP id 857A5114326 for ; Mon, 19 Dec 2005 13:01:05 -0600 (CST) Date: Mon, 19 Dec 2005 13:01:17 -0600 From: Paul Schmehl To: freebsd-questions@freebsd.org Message-ID: <124C8EC79D9A6FBB2A645B28@Paul-Schmehls-Computer.local> In-Reply-To: <43A6CA19.5020100@mail.ru> References: <43A6CA19.5020100@mail.ru> X-Mailer: Mulberry/4.0.0 (Mac OS X) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Re: ports security branch X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Paul Schmehl List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2005 19:02:10 -0000 --On December 19, 2005 6:56:25 PM +0400 rihad wrote: > Is there a security branch for the FreeBSD ports collection? Let's say, > I installed FreeBSD 6.0 together with all needed -RELEASE ports/packages. > Running security/portaudit after a while reveals that some of the > installed packages have vulnerabilities. Am I on my own to go grab the > fresh ports tree, and upgrade the affected software, suffering all the > intricacies of the move by myself? Debian GNU/Linux has its security > package updates, OpenBSD has a separately maintained "errata" ports > branch (you still get to download a newer release of the software, though > (IIRC)). > On your own, but not in the sense you may think. If you cvsup your ports (I do it nightly for all my servers), then you can simply run portupgrade and all the affected ports will be upgraded (assuming you use the right switches - I use -ai because I want to be able to decline to upgrade a port if it's going to affect a lot of people and then schedule it for later that same day or the next.) I'm not sure what you mean by "suffering all the intricacies". Cvsup will fetch all the ports that have updates (assuming you use the right config - man is your friend), so you really don't have to do much except launch cvsup (if you haven't already scheduled it routinely) and then launch portupgrade once cvsup is done. When I set up a new server, one of the first things I do, before installing any applications, is run cvsup to update everything. Then I setup cvsup to run nightly, and only then to I begin installing whatever applications that particular server might need. Paul Schmehl (pauls@utdallas.edu) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/