Security Updates and Patching Two Choices?
Sean Murphy
smurphy at calarts.edu
Mon Mar 29 11:30:10 PST 2004
I would like to stay patched with the latest security advisories.
However usually I wait until the next release iso becomes available and
do a fresh install that includes all the known exploites. My reason
behind this is the "makeworld", "CVSup", and "mergemaster" is very time
consuming/complicated. "Mergemaster" especially when I'm merging /etc
files that I have no clue what they do. I also don't want "all"
sources compiled on my system. I like a minimized OS. I don't want to
build "all" sources when I just need these on my system (bin, man, and
crypto). The same selection I use from a new install from
/stand/sysinstall. Is that possible?
However in the "security advisories" the second option is to download
this file and patch the existing source and do a "makeworld"
here is an excerpt of the latest advisory
---
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:05/openssl.patch
# fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:05/
openssl.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system as described in
<URL:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/
makeworld.html >.
---
It seem the "makeworld" process is the only way to keep the system
patched.
If a tag just the 4_9 Release in the CVSupfile can i just ignore the
mergemaster? also can I just CVSup the sources and build the ones I
want? (see above)
Thanks in advance
Sean Murphy
smurphy at calarts.edu
More information about the freebsd-questions
mailing list