keeping my freebsd secure...
cswiger at mac.com
Sat Jun 12 16:14:11 GMT 2004
Haim Ashkenazi wrote:
> 1. I need to follow the security advisories to see if there are
> vulnerabilities in the base system (I didn't find any regarding 4.10, am I
It's certainly a good idea, yes. There's a list just for security
announcements, although anyone who follows CERT or bugtrak or other security
lists are likely to see issues appear from various places.
Decide whether to follow RELENG_4 or RELENG_4_10.
> 2. I installed portaudit to tell me if there are vulnerabilities in the
portaudit is still work-in-progress, but this is also a good idea.
> 3. there are some tools (don't remember their names) that automatically
> downloads and installs upgrades.
[ ... ]
> how do I update my ports without breaking anything and without downtime
> for important services (apache, mysql, etc...)? the one port I installed
> from pre-compiled binary (screen) took 99% cpu, and I had to compile it
> so it'll work ok. so how do I upgrade any of the above daemons without
> having to uninstall -> compile -> reinstall (which takes a long time).
portupgrade does "compile -> uninstall -> reinstall", which interrupts the
affected software only for a few seconds. Note that it might still be a good
idea to shutdown and restart the service yourself directly.
> also, if the PNG library having vulnerabilities (as it is now on my
> system) and I update the ports and compile it, do I have to update all the
> ports or only this one (will php break if I won't upgrade it)?
That depends on whether the newer version of PNG retains shlib
backwards-compatibility with the older version. Good software tends to be
fine, other software where the authors are less concerned about retaining
compatibility with previous versions may require one to recompile dependent
ports as well.
More information about the freebsd-stable