a few questions and concepts

Jonathan Horne freebsd at dfwlp.com
Sat Apr 8 00:11:51 UTC 2006


On Friday 07 April 2006 16:34, Giorgos Keramidas wrote:
> On 2006-04-07 15:54, Jonathan Horne <freebsd at dfwlp.com> wrote:
> > im still pretty new to freebsd.  ive been playing around with the cvsup
> > tools, and they are quite fascinating.
> >
> > i changed my production server from Fedora to FreeBSD 6.0, about 1 day
> > before the most recent sendmail exploit was published (well, published on
> > freebsd.org anyway).
>
> Murphy at work, again, eh? :)
>
> > i did download the patch and recompile it, but as some have also noted
> > on this list, that it still banners as 8.13.4 when you telnet to it.
> >
> > so, the past couple of days, i have learned to cvsup my /usr/src
> > directories.  ive just been using the standard copy of the
> > stable-supfile. i have learned that if i perform the sendmail recompile
> > after the cvsup, that it sendmail seems to proclaim 8.13.6 in the banner.
> >  on top of that, i have learned that if i recompile the kernel after
> > cvsup, that it no longer says FreeBSD 6.0-RELEASE, but FreeBSD
> > 6.1-PRERELEASE.
>
> You are running RELENG_6 now, which is much more recent than
> RELENG_6_0_RELEASE.
>
> The first one is the top of the 6.X branch, which changes moderately
> slow, but it *does* change.  The 6.0-RELEASE source tree is "frozen in
> time" at the point the tag was placed on the source tree.
>
> > my questions:
> > 1) after cvsup, i think i can assume that sendmail is now compiling from
> > sourcecode that should definatly be free from the current exploit.  i
> > would also assume that anything that i would need to recompile from
> > /usr/src should also see the benefit of 'latest source code'?
>
> Yes, both true.
>
> > 2) on a production server, should i avoid recompiling a kernel that will
> > be FreeBSD 6.1-PRERELEASE?  on the whole, how reliable is the bulk of
> > these newer sources that were pulled down by cvsup?
>
> In general, if you a bit paranoid, you should avoid running RELENG_6 on
> a production system.  At least until you have thoroughly tested it on a
> "test system" and found everything working as expected.
>
> > i can definatly see the benefits of using cvsup to take care of
> > problem with some things (like sendmail), but allowing it to update
> > everything under the /usr/src tree, im wondering if i could be setting
> > myself up for issues (by not editing the stable-supfile and taking
> > only what i need).
>
> This is why each FreeBSD release is associated with at least:
>
>     * A "frozen" tag, like RELENG_6_0_RELEASE
>
>     * A security branch, like RELENG_6_0
>
>     * A stable branch, like RELENG_6
>
> Changes go very fast in the CURRENT FreeBSD branch.  After they settle
> in for a while, soem of them are backported to the RELENG_X branch.  The
> RELENG_X branch changes much slower than the experimental, CURRENT
> branch, but it does change every time a new feature is backported to
> RELENG_X.
>
> Then, when security fixes are made available, they are added both to the
> RELENG_X branch and the RELENG_X_Y security branches.
>
> If all you want is the "frozen" release sources plus changes that are
> really really necessary, because they fix a serious security bug, you
> probably want RELENG_X_Y (RELENG_6_0 in this case).
>
> Regards,
> Giorgos
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"

thank you kindly for your reply, that was quite informative.  ive actually 
read the document on the differences between the stable, current, and release 
(or whatever), and find that system quite confusing for the moment.   im sure 
ill grasp the method of the madness eventually.  i guess what confuses me, is 
that i read about those, and then try to find them on the ftp sites.  i 
assume, that only release is made into a .iso file?  and to move to a higher 
version (either the security RELENG_6_0 or stable RELENG_6), you do this thru 
the cvsup tool.

so, by your descriptions and reply to my previous comments, my system that is 
running what says 6.1-PRERELEASE is really RELENG_6 (stable) ?

thanks,
Jonathan Horne


More information about the freebsd-questions mailing list