From owner-freebsd-questions@FreeBSD.ORG Mon Feb 26 20:12:22 2007 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A4B0C16A47E for ; Mon, 26 Feb 2007 20:12:22 +0000 (UTC) (envelope-from dan@dan.emsphone.com) Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101]) by mx1.freebsd.org (Postfix) with ESMTP id 7DAAF13C4E7 for ; Mon, 26 Feb 2007 20:11:55 +0000 (UTC) (envelope-from dan@dan.emsphone.com) Received: from dan.emsphone.com (dan@localhost [127.0.0.1]) by dan.emsphone.com (8.14.0/8.13.8) with ESMTP id l1QKBnr1041233 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 26 Feb 2007 14:11:49 -0600 (CST) (envelope-from dan@dan.emsphone.com) Received: (from dan@localhost) by dan.emsphone.com (8.14.0/8.14.0/Submit) id l1QKBni6041232; Mon, 26 Feb 2007 14:11:49 -0600 (CST) (envelope-from dan) Date: Mon, 26 Feb 2007 14:11:48 -0600 From: Dan Nelson To: Jerry Message-ID: <20070226201148.GC71962@dan.emsphone.com> References: <20070226184043.GA59508@gizmo.acns.msu.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20070226184043.GA59508@gizmo.acns.msu.edu> X-OS: FreeBSD 6.2-STABLE User-Agent: Mutt/1.5.13 (2006-08-11) Cc: questions@freebsd.org Subject: Re: Patches in FreeBSD X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Feb 2007 20:12:23 -0000 In the last episode (Feb 26), Jerry said: > I am being forced to use something besides FreeBSD - probably Susie > or Red Hat Linux for the base of a server system. The primary reason > given is that when security issues come along, FreeBSD has no way of > patching the running system, but rather requires rebuilding the > system - CVSUP, make, install, etc whereas Susie and Red Hat can be > patched on the fly. I presume this means kernel type security stuff > rather than concerns about third party software. FreeBSD can be patched on the fly just as easily as Linux. In both cases: Kernel fixes require a reboot. Fixes to running deamons require them to be restarted. Fixes to shared libraries require all running programs using them to be restarted (usually simpler to just reboot). YAST/up2date/whatever may automatically restart daemons (I know apt-get in Debian does), but for something like a libc update, the fact that the file is delivered via an RPM versus a "make install" step doesn't save you from a reboot. > My question is: How do I respond to this? I have seen the word > patch used in security update messages - but didn't follow that path. > Is that real? Does it cover kernel things essentially on the fly or > is a 'time consuming' rebuild still needed? A patch lets you fix the problem listed in the security advisory without necessarily having to do a full buildworld. The SA-07:02.bind advisory, for example, gives instructions on how to patch, rebuild, install, and restart named. -- Dan Nelson dnelson@allantgroup.com