Date: Mon, 22 May 2006 10:12:30 -0400 From: Jonathan Noack <noackjr@alumni.rice.edu> To: Steven Hartland <killing@multiplay.co.uk> Cc: FreeBSD Stable <freebsd-stable@freebsd.org>, Colin Percival <cperciva@freebsd.org>, Brent Casavant <b.j.casavant@ieee.org> Subject: Re: FreeBSD Security Survey Message-ID: <4471C6CE.2020302@alumni.rice.edu> In-Reply-To: <009101c67d8c$ee013db0$b3db87d4@multiplay.co.uk> References: <4471361B.5060208@freebsd.org> <20060521231657.O6063@abigail.angeltread.org> <009101c67d8c$ee013db0$b3db87d4@multiplay.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig11573943D80BEA6AF373051A
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
On 05/22/06 06:45, Steven Hartland wrote:
> Brent Casavant wrote:
>> On Sun, 21 May 2006, Colin Percival wrote:
>=20
>> So, in short, that's why *I* rarely update ports for security reasons.=
>>
>> There are steps that could be taken at the port maintenance level that=
>> would work well for my particular case, however that's beyond the
>> scope of the survey. Thanks for taking the time put the survey
>> together, I certainly hope it proves useful.
>=20
> Perfectly put there Brent portupgrade is all very powerful but:
> * Take an absolute age to do anything but the simplest updates
> * Often fails and needs significant manual fixing
>=20
> Here its usually 100 times quicker to just do:
> pkg_info | awk '{print $1}' > packages.txt
> cat packages.txt | xargs pkg_delete -f
> cat packages.txt | xargs pkg_add -r
>=20
> This at least brings you up to a known good set. Alternatively I
> also use something similar but build from ports the problem with
> that is often the ports need to be built with custom options to get
> back to how you started so unless you where very maticuls in
> noting down the options to every port on every machine you
> installed something often goes wrong :(
Dropping security@...
The OPTIONS feature stores port preferences and helps a lot with this.
Not all ports are converted yet, but that's just a matter of time. My
only complaint is that when options are added I'm not prompted for my
preference (I just get the default value). I have to go back and
manually "make config" if I don't want the default. If automatic
prompting for new options is added then we will truly have a "set it and
forget it" configuration system. Because I track ports fairly closely
and usually catch new options, this hasn't annoyed me enough to fix it...=
> On good example of portupgrade "going off on one" is a simple
> upgrade of mtr we dont install any X on our machines so mtr-nox11
> is installed. Whenever I've tried portupgrade in the past its
> always trolled of and started downloading and build the behemoth
> that is X, CTRL+C hence always ensues and I forget about upgrading
> until I really HAVE to.
You have to tell the ports system you don't want X (put the following in
/etc/make.conf):
WITHOUT_X11=3D yes
There are also ports (like bittorrent) that install GUIs by default.
You should also tell the ports system you don't want GUIs:
WITHOUT_GUI=3D yes
Some ports will still need the X libs (like graphviz), but that's not a
huge deal.
-Jonathan
--=20
Jonathan Noack | noackjr@alumni.rice.edu | OpenPGP: 0x991D8195
--------------enig11573943D80BEA6AF373051A
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (FreeBSD)
iD8DBQFEccbUUFz01pkdgZURAmVkAJ9/XsifsxRIqcA10KpHMEHB7CcR2ACgjVQH
u9KWRmjiUymjfBzTziowBww=
=fDhe
-----END PGP SIGNATURE-----
--------------enig11573943D80BEA6AF373051A--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4471C6CE.2020302>