keeping my freebsd secure... THANX

Joe Kelsey joe at zircon.seattle.wa.us
Mon Jun 14 04:27:45 GMT 2004 

On Sun, 2004-06-13 at 20:31, Ladislav Bodnar wrote:
> On Monday 14 June 2004 07:51, Haim Ashkenazi wrote:
> > what's you're saying is very disturbing... I only moved to FreeBSD
> > because debian stable releases a new version once in a long time
> > (more
> 
> I am in the same situation as you. But I am wondering - what happens if 
> you just run the installation program from within an existing 
> installation and update the binary packages to the latest release (say, 
> your server is running 4.9, but you want to upgrade to 4.10). Is this a 
> good way of going about upgrading, or am I just completely off my 
> rocko?

FreeBSD works correctly from SOURCE every single time.

> (I know this doesn't address the issue of security fixes, but at least 
> you could get your PHP up to a newer version).
> 
> In all honesty, I don't feel confident about upgrading an entire system 
> by compiling from sources. Maybe it's because I've been bitten by 
> upgrade problems on Gentoo, but also because, from whatever little 
> experience I have with FreeBSD, compiling from sources can fail on 
> FreeBSD too. My logic dictates that the binary packages provided with a 
> RELEASE are well-tested, so that everything works together nicely. Why 
> bother with compiling?

I compile and install from source on a regular basis.  I have never
installed a binary package except for my first installation from CD-ROM
of a 4.0 system, immediately cvsup'd into a -STABLE release compiled
from source.

I worked for a local ISP with over 500 FreeBSD servers, all done from
source.  We compiled test machines to generate our own custom system
images and then installed on all machines in groups.  The problem there
comes from keeping the old machines current enough to still work in
spite of various security problems.  That was a real problem for the old
3.2 machines, but still we were installing 4.5 FreeBSD images while 4.8
was in the release process.  When you have a large enough number of
machines to keep up, you cannot possibly keep all of the up-to-date.

My logic dictates that you have to compile and test your own
distributions based on some -RELEASE.  Running GENERIC kernels is a
loser strategy, so you will have to compile something to get working.

/Joe


> Anybody cares to comment?
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"

More information about the freebsd-stable mailing list