Confused about keeping system up to date

Michael Powell nightrecon at hotmail.com
Tue Oct 5 20:40:08 UTC 2010 

Ed Flecko wrote:

> Hi folks,
> I'm running Production Release 8.1 on a production server.
> 
> For a variety of reasons, I've decided to keep my system up to date
> via building it from source code.
> 
> 1.) I want to follow the 8.1 errata branch, which (after rebuilding)
> pretty much just applies any released patches, right?
> 
> 2.) I want the entry in my supfile to read: tag=RELENG_8_1_0 - or
> tag=RELENG_8.1_0 ?

tag=RELENG_8_1 is known as the 'security branch' of 8.1-RELEASE. It is 
RELEASE plus security patches. RELEASE itself will never change.
 
> 3.) As a general rule, the only time you really NEED to update,
> rebuild your system, etc., is after there's been a security patch
> release, right?

True for RELEASE, not true for tracking -STABLE or -CURRENT as they are 
shifting targets. On production servers I only use RELEASE and only update 
for security updates. 

IMHO the only reason for considering a move from RELEASE to STABLE is if 
there is a specific fix for a very specific issue which had been fixed in -
CURRENT and MFC'd back to STABLE. Don't have the exact issue in the bug 
report - stick with RELEASE. 
 
> 4.) Is RELENG_8_1 the same thing as 8.1-RELEASE ???

RELEASE itself is static. RELENG_8_1 is RELEASE plus security patches.
 
> 5.) If I'm just trying to keep my system up to date as far as applying
> security patches, should I just follow the directions in the security
> patch notes to apply it, or should I update via cvsup (or csup, etc.)
> and rebuild the system? I guess what I'm asking is: when, if ever (?)
> should you just apply patches or should you always update, rebuild,
> etc.???
> 

I read and follow the instructions in the announcement. If the issue is 
located in a userland utility, e.g. non-kernel related, you can apply the 
patch, rebuild/reinstall just that piece of code, and not reboot the system. 
A production system can remain in production. The thing that will be lacking 
is uname will not show the update status such as: 8.1-RELEASE-p1  <- the 
p(x) number will not increment.

This number will increment when doing a make buildworld. buildkernel, 
installkernel, and installworld rebuild by csup of source. This approach is 
necessitated when the issue is in the kernel code. The instructions in the 
announcement will tell you this so you can choose. But anytime the rebuild 
from source of kernel code is required so is a reboot.

-Mike

More information about the freebsd-questions mailing list