ports security branch

Melvyn Sopacua freebsd.stable at melvyn.homeunix.org
Tue Dec 20 02:44:05 PST 2005 

On Tuesday 20 December 2005 11:18, rihad wrote:
> Yann Golanski wrote:
> > Quoth rihad on Tue, Dec 20, 2005 at 10:25:59 +0400
> >
> >>Is there a security branch for the FreeBSD ports collection? Let's say,
> >>I installed FreeBSD 6.0 together with all needed -RELEASE ports/packages
> >>(i.e., those on the CD). Running security/portaudit after a while
> >>reveals that some of the installed packages have vulnerabilities. Am I
> >>on my own to go grab the fresh ports tree, and upgrade the affected
> >>software, suffering all the intricacies of the move by myself? Debian
> >>GNU/Linux has its security package updates, OpenBSD has a separately
> >>maintained "errata" ports branch (it's very likely you still get to
> >>download a newer release of the software, though).
> >
> > Attached is a script I use to update my machines.  It works fine but
> > you need to understand what it does and not run it blindly.  DO NOT put
> > that in cron, there lies pain!
> >
> > Otherwise, just run the script and it will update all your ports for
> > you.  It'll even mail you with the updated ports.
>
> [script snipped]
>
> A very interesting script for its own purpose, but I'm afraid this
> doesn't answer my question at all.

FreeBSD accepts limited responsibility for what is in /usr/ports. Maintaining 
security is not one of them.

> Perhaps seeing the way that e.g. 
> Debian deals with the upgrade problem might shed some light on the
> issue. Hell, FreeBSD does exactly that for the base world+kernel, too!
> Not for the ports, though.

See above. Instead of focusing on the method, focus on the end-goal: you want 
security updates on your ports and the script posted attempts to provide 
that.
I had one that was safe to run in cron (in fact it ran in periodic/daily), but 
uses a cvs tree of ports, not cvsup to save time[1]. I lost it with a disk 
crash, but was going to recreate it anyway, might as well do it now if people 
are interested.

[1] cvsup allthough faster on the entire tree cannot update a single 
directory.
-- 
Melvyn Sopacua
freebsd.stable at melvyn.homeunix.org

FreeBSD 6.0-STABLE
Qt: 3.3.5
KDE: 3.4.3

More information about the freebsd-stable mailing list