patching a production system
Colin Percival
colin.percival at wadham.ox.ac.uk
Sun Apr 20 20:04:15 PDT 2003
Ryan Thompson wrote:
>Chaos Golubitsky wrote to freebsd-questions at freebsd.org:
> > (a) (I think the answer is no, but would love to hear otherwise):
> > Do i have an alternative to maintaining a source tree on this
> > machine?
>
>Assuming you're running on i386 hardware, and staying current, binary
>patches are released for most security advisories. For more
>information, look at the advisories themselves, which will direct you
>to excellent information on how they may be applied.
The security team tends to release binary patches only when the set of
affected files is both small and obvious. The sendmail issues, for
example, only required that /usr/libexec/sendmail/sendmail be fixed; the
xdr and openssl patches, however, effected a larger number of files, and no
binary patches were provided for those.
That said, I'm building binary security updates for i386 4.7-RELEASE and
4.8-RELEASE; the code for fetching and installing these updates is in
/usr/ports/security/freebsd-update/ (thanks nork!), and more details are
available at http://www.daemonology.net/freebsd-update/. This code will
keep your machine up to date as if you were using cvsup to track the
RELENG_4_x tree and buildworlding, with the side benefit that installing
the binary updates is faster than a complete installworld.
Colin Percival
More information about the freebsd-questions
mailing list