Re: FreeBSD base pkg (packaging) and critical ports build alongside

From: Chris <bsd-lists_at_bsdforge.com>
Date: Wed, 29 Sep 2021 15:13:12 UTC
On 2021-09-29 01:28, FreeBSD User wrote:
> Hello,
> 
> I use FreeBSD-base packages built on self hosted systems to update 13-STABLE
> and CURRENT hosts.  I run into the problem, that the packages of the FreeBSD
> base, built via the FreeBSD framework and from most recent 13-STABLE 
> sources,
> are often oit of synchronisation with our poudriere packaging builders, that 
> is
> especially true for critical ports with kernel modules, like i915 drm,
> virtualbox and so on. The problem is, obviously, barehanded: 13-STABLE 
> sources
> and probably the API changes more rapidly than those of the appropriate 
> builder
> hosts for poudriere and since it takes a bunch of days to build a whole
> poudriere packages repository, there is often a gap between the revision of 
> the
> kernel and the port containing kernel modules.
> 
> So, the question is: how can I add ports to the building process of the 
> FreeBSD
> sources tree in the way they get build every time I build the FreeBSD-base
> packages alongside the OS?
The simple answer is; by keeping/getting both trees where you want them 
before
you initiate a build.

This is what I do;

Pick some point in time, or in git(1) parlance; hash/revision. I then
git co/clone git hash/revision for both trees.
I then fire off a build for both. Creating $BASE install(s)/images &&
packages. Since I'm subscribed to the freebsd-security-notifications
ML. I get announcements whenever FreeBSD pushes security patches. I then
check the git log for when the patch(s) was/were pushed/committed. Then 
update
the affected tree to that hash/revision, and update the ports tree to
the same place in time. Then build both trees and update the affected
boxes (servers/hosts). You probably will also want to monitor the commit
list (WARNING it's a high volume list) for CVE notices. So as to keep
your ports tree safe. Simply do the same -- update the ports tree that
contains the CVE commit && build up/deploy your packages from it.
Customization (adding ports drivers to your $BASE (src) build:
Simply add
PORTS_MODULES=<port driver>
to your make.conf(5). For instance; your i915 driver.

That pretty much covers it I think. :-)

See also; man make(1) man make.conf(5) && man ports(7)

HTH

--Chris
> 
> Thanks in advance,
> 
> oh