staying 'up-to-date' questions
Andrew Boothman
andrew at cream.org
Wed Jan 7 16:09:32 PST 2004
Duane Winner wrote:
> I've installed 4.9-RELEASE from the .ISO image.
> I just want to be certain that I have all security patches now and in
> the future.
>
> If I have "*default release=cvs tag=RELEASE_4_9" in my cvsup file, will
> I get all the updates I need to be secure?
No - you'll keep updating your source to 4.9-RELEASE which, while fun,
isn't ultimately productive because that's the source you've already got. ;)
What you want is something like "tag=RELENG_4_9" which will keep you
up-to-date with the latest security and critcal fixes for 4.9-RELEASE or
"tag=RELENG_4" which is the -stable development branch and will include
not just fixes but also new features and changes as the -stable branch
works its way towards the next 4.x release.
Tags that you can put in your supfile are listed on
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvs-tags.html
and don't forget to read the other sections of the manual about what it
means to track one of the development branches.
> How do I know when to build a new kernel? How will I know when there is
> a security patch for the kernel?
> If I cronjob cvsup and rebuild the kernel once a week, will I be up to
> date?
> How do I know if my running kernel is up-to-date?
No - because there might be updates to software outside of the kernel.
For example if a security problem is found in sendmail (perish the
thought!) or OpenSSH then recompiling your kernel is not going to get
them updated.
If a security problem is fixed in the kernel then you need to re-compile
and re-install the kernel. Otherwise you just need to re-compile the
relevent part of the system. Or if you can't be sure what has been
touched by a particular update, go for a full "make
buildworld/installworld" combo as usual.
The other key thing here is the -security-notifications list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
which will tell you when security problems have been found that effect
your system. Then you know when to update your source and/or kernel
and/or world.
Hope that clarifies things a bit!
Andrew
More information about the freebsd-questions
mailing list