a few questions and concepts

[bsd at bathnetworks.com]

> On Friday 07 April 2006 16:34, Giorgos Keramidas wrote:
>> On 2006-04-07 15:54, Jonathan Horne <freebsd at dfwlp.com> wrote:
>> > im still pretty new to freebsd.  ive been playing around with the
>> cvsup
>> > tools, and they are quite fascinating.
>> >
>> > i changed my production server from Fedora to FreeBSD 6.0, about 1 day
>> > before the most recent sendmail exploit was published (well, published
>> on
>> > freebsd.org anyway).
>>
>> Murphy at work, again, eh? :)
>>
>> > i did download the patch and recompile it, but as some have also noted
>> > on this list, that it still banners as 8.13.4 when you telnet to it.
>> >
>> > so, the past couple of days, i have learned to cvsup my /usr/src
>> > directories.  ive just been using the standard copy of the
>> > stable-supfile. i have learned that if i perform the sendmail
>> recompile
>> > after the cvsup, that it sendmail seems to proclaim 8.13.6 in the
>> banner.
>> >  on top of that, i have learned that if i recompile the kernel after
>> > cvsup, that it no longer says FreeBSD 6.0-RELEASE, but FreeBSD
>> > 6.1-PRERELEASE.
>>
>> You are running RELENG_6 now, which is much more recent than
>> RELENG_6_0_RELEASE.
>>
>> The first one is the top of the 6.X branch, which changes moderately
>> slow, but it *does* change.  The 6.0-RELEASE source tree is "frozen in
>> time" at the point the tag was placed on the source tree.
>>
>> > my questions:
>> > 1) after cvsup, i think i can assume that sendmail is now compiling
>> from
>> > sourcecode that should definatly be free from the current exploit.  i
>> > would also assume that anything that i would need to recompile from
>> > /usr/src should also see the benefit of 'latest source code'?
>>
>> Yes, both true.
>>
>> > 2) on a production server, should i avoid recompiling a kernel that
>> will
>> > be FreeBSD 6.1-PRERELEASE?  on the whole, how reliable is the bulk of
>> > these newer sources that were pulled down by cvsup?
>>
>> In general, if you a bit paranoid, you should avoid running RELENG_6 on
>> a production system.  At least until you have thoroughly tested it on a
>> "test system" and found everything working as expected.
>>
>> > i can definatly see the benefits of using cvsup to take care of
>> > problem with some things (like sendmail), but allowing it to update
>> > everything under the /usr/src tree, im wondering if i could be setting
>> > myself up for issues (by not editing the stable-supfile and taking
>> > only what i need).
>>
>> This is why each FreeBSD release is associated with at least:
>>
>>     * A "frozen" tag, like RELENG_6_0_RELEASE
>>
>>     * A security branch, like RELENG_6_0
>>
>>     * A stable branch, like RELENG_6
>>
>> Changes go very fast in the CURRENT FreeBSD branch.  After they settle
>> in for a while, soem of them are backported to the RELENG_X branch.  The
>> RELENG_X branch changes much slower than the experimental, CURRENT
>> branch, but it does change every time a new feature is backported to
>> RELENG_X.
>>
>> Then, when security fixes are made available, they are added both to the
>> RELENG_X branch and the RELENG_X_Y security branches.
>>
>> If all you want is the "frozen" release sources plus changes that are
>> really really necessary, because they fix a serious security bug, you
>> probably want RELENG_X_Y (RELENG_6_0 in this case).
>>
>> Regards,
>> Giorgos
>>
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to
>> "freebsd-questions-unsubscribe at freebsd.org"
>
> thank you kindly for your reply, that was quite informative.  ive actually
> read the document on the differences between the stable, current, and
> release
> (or whatever), and find that system quite confusing for the moment.   im
> sure
> ill grasp the method of the madness eventually.  i guess what confuses me,
> is
> that i read about those, and then try to find them on the ftp sites.  i
> assume, that only release is made into a .iso file?  and to move to a
> higher
> version (either the security RELENG_6_0 or stable RELENG_6), you do this
> thru
> the cvsup tool.

Yes, as far as I can tell that is correct, it confused me at first. The
iso image is the latest release for each branch.

>
> so, by your descriptions and reply to my previous comments, my system that
> is
> running what says 6.1-PRERELEASE is really RELENG_6 (stable) ?
>

Again correct. Don't forget 'stable' is not that stable it is a snapshot
of 'current' that is stable enough to be released.

> thanks,
> Jonathan Horne

The other confusing this is that the tags only realy refer to the
'userland' ie the core system. The ports get updated as and when.

On the system I am currently working on which will be a production server,
I don't whant too much change when in prodction so I am following the 6.0
branch at present (RELENG_6_0). I have portaudit installed which tells me
what ports have been updated through security issues and I can decide if I
need to update them. Apart from that I will probably leave it alone.

Hope this helps

Rob