Tracking Security in Ports and Base System
Randy Pratt
bsd-unix at comcast.net
Wed Mar 1 11:36:40 PST 2006
On Wed, 1 Mar 2006 10:09:51 -0800 (PST)
chris at chrismaness.com wrote:
> > On Wed, 8 Feb 2006, Chris Maness wrote:
> >
> >> How should I set up cvsup to just track security updates for ports. And
> would the best thing to do after I synced CVS, do portupgrade -a so
> that everything selected gets rebuilt.
> >
> > I'm not sure there is a way to do this for ports, other than manually
> checking what's been changed and whether you consider that to be a
> security upgrade, then upgrading each applicable port by hand. As far as
> I understand, there is only one tag for ports ("tag=."), which gets you
> the "current" ports tree. I *can* guarantee that others know more about
> this than I do.
There is a port which does this for you (security/portaudit):
portaudit provides a system to check if installed ports are
listed in a database of published security vulnerabilities.
After installation it will update this security database
automatically and include its reports in the output of the
daily security run.
> >> What is the equivalent for the base system?
> >
> > Much simpler: just track RELENG_your_release to get security updates and
> bug fixes and nothing else. For example, mine is RELENG_5_4 and
> > therefore tracks 5.4-RELEASE.
Additionally, I'd suggest subscribing to one of these mailing list so
that you are notified when a SA is issued:
security-advisories at freebsd.org
freebsd-announce at freebsd.org
HTH,
Randy
--
More information about the freebsd-questions
mailing list