ports security branch
Paul Schmehl
pauls at utdallas.edu
Mon Dec 19 11:02:10 PST 2005
--On December 19, 2005 6:56:25 PM +0400 rihad <rihad at mail.ru> wrote:
> Is there a security branch for the FreeBSD ports collection? Let's say,
> I installed FreeBSD 6.0 together with all needed -RELEASE ports/packages.
> Running security/portaudit after a while reveals that some of the
> installed packages have vulnerabilities. Am I on my own to go grab the
> fresh ports tree, and upgrade the affected software, suffering all the
> intricacies of the move by myself? Debian GNU/Linux has its security
> package updates, OpenBSD has a separately maintained "errata" ports
> branch (you still get to download a newer release of the software, though
> (IIRC)).
>
On your own, but not in the sense you may think. If you cvsup your ports
(I do it nightly for all my servers), then you can simply run portupgrade
and all the affected ports will be upgraded (assuming you use the right
switches - I use -ai because I want to be able to decline to upgrade a port
if it's going to affect a lot of people and then schedule it for later that
same day or the next.)
I'm not sure what you mean by "suffering all the intricacies". Cvsup will
fetch all the ports that have updates (assuming you use the right config -
man is your friend), so you really don't have to do much except launch
cvsup (if you haven't already scheduled it routinely) and then launch
portupgrade once cvsup is done.
When I set up a new server, one of the first things I do, before installing
any applications, is run cvsup to update everything. Then I setup cvsup to
run nightly, and only then to I begin installing whatever applications that
particular server might need.
Paul Schmehl (pauls at utdallas.edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/
More information about the freebsd-questions
mailing list