Questions about patches
ctodd at netgate.net
Tue Apr 8 18:25:00 PDT 2003
I'm looking at replacing BSD/OS with FreeBSD (we're a hosting provider).
I've been using FreeBSD for some time now for non-customer servers
(Amanda, DNS, Mail) and have maintained/upgraded these servers as needed,
typically using cvsup and make world/kernel. To move to a production
environment however, I need to create proceedures for keeping these
systems up to date with minimal downtime and customer impact.
Unfortunately patching in the FreeBSD world is much different than BSD/OS
or even RedHat.
In the BSD/OS world, patches are supplied for the core OS (including some
installed apps) in binary format. Basically a perl script with encoded
archives embedded, you just run "perl <patchnum> apply". This doesn't
include our own apps like Apache, MySQL, etc that we install separately as
they are updated more frequently than Windriver cares to release OS
In the RedHat world, many applications are installed with the OS (not
necessarily a good thing) and RedHat does a good job of announcing and
releasing patches for these applications in a timely manner. The patches
come in rpm format and can even be autoinstalled by a third party utility
In the FreeBSD world however (feel free to jump in and set me straight
here) patches seem to only be released for core OS components based solely
on CERT advisories. These patches often (but not always) need to be
applied to the source tree by running several commands and then by running
make world just as upgrading the OS. For example, FreeBSD-SA-03:06.openssl
required the whole OS be rebuilt rather than replacing the affected
components, whereas FreeBSD-SA-03:07.sendmail was supplied in binary
I intend on running a "build" server to which all other servers will NFS
mount to perform OS upgrades, but I'd prefer not to have to do this for
every advisory. I've scoured the FreeBSD site and other resources for a
couple of days, but I've found no binary way of patching the OS as I'm
accustomed to doing with BSD/OS and RedHat. So my first question is;
Is/will there be a better method of patching the core OS in the future
that addresses only the affected components?
I realize Openssl is a dependancy for many other things in the OS, so I
can understand if perhaps this example may require an OS rebuild. Second
Question would be; Will FreeBSD supply a patching mechanism that perhaps
utilizes a package manager?
Now on to the ports and packages. The maintainers of the ports collection
appear to do a good job of quickly patching software in the ports
collection, but rarely is an announcement made to the list (at least to
any of the freebsd lists I subscribe to) which makes it difficult to
determine when something has been in fact patched. New packages are
released soon after in most cases, but often run several releases behind
what is current, ruling out pkg_add as an option.
Unfortunately patching a given port (with dependancies) seems to require
updating the entire ports tree to the latest versions, then compiling and
installing. In some instances we may want to apply a patch to an existing
version of an application rather than update it, but this is not possible
most of the time. From what I can surmise, the proceedure for patching
applications in a multi server environment is to update the ports tree and
to build/install/test these on a build server, and then package them up
and install them remotely via pkg_add. Questions; 1. Is this the best way
to apply patches to applications? 2. Are there any plans to provide a
better notification system when applications are patched similar to what
RedHat has done with Bugzilla?
If there's a better list to send this to, let me know.
More information about the freebsd-questions