a few questions and concepts
bsd at bathnetworks.com
bsd at bathnetworks.com
Sat Apr 8 06:41:30 UTC 2006
> On Friday 07 April 2006 16:34, Giorgos Keramidas wrote:
>> On 2006-04-07 15:54, Jonathan Horne <freebsd at dfwlp.com> wrote:
>> > im still pretty new to freebsd. ive been playing around with the
>> > tools, and they are quite fascinating.
>> > i changed my production server from Fedora to FreeBSD 6.0, about 1 day
>> > before the most recent sendmail exploit was published (well, published
>> > freebsd.org anyway).
>> Murphy at work, again, eh? :)
>> > i did download the patch and recompile it, but as some have also noted
>> > on this list, that it still banners as 8.13.4 when you telnet to it.
>> > so, the past couple of days, i have learned to cvsup my /usr/src
>> > directories. ive just been using the standard copy of the
>> > stable-supfile. i have learned that if i perform the sendmail
>> > after the cvsup, that it sendmail seems to proclaim 8.13.6 in the
>> > on top of that, i have learned that if i recompile the kernel after
>> > cvsup, that it no longer says FreeBSD 6.0-RELEASE, but FreeBSD
>> > 6.1-PRERELEASE.
>> You are running RELENG_6 now, which is much more recent than
>> The first one is the top of the 6.X branch, which changes moderately
>> slow, but it *does* change. The 6.0-RELEASE source tree is "frozen in
>> time" at the point the tag was placed on the source tree.
>> > my questions:
>> > 1) after cvsup, i think i can assume that sendmail is now compiling
>> > sourcecode that should definatly be free from the current exploit. i
>> > would also assume that anything that i would need to recompile from
>> > /usr/src should also see the benefit of 'latest source code'?
>> Yes, both true.
>> > 2) on a production server, should i avoid recompiling a kernel that
>> > be FreeBSD 6.1-PRERELEASE? on the whole, how reliable is the bulk of
>> > these newer sources that were pulled down by cvsup?
>> In general, if you a bit paranoid, you should avoid running RELENG_6 on
>> a production system. At least until you have thoroughly tested it on a
>> "test system" and found everything working as expected.
>> > i can definatly see the benefits of using cvsup to take care of
>> > problem with some things (like sendmail), but allowing it to update
>> > everything under the /usr/src tree, im wondering if i could be setting
>> > myself up for issues (by not editing the stable-supfile and taking
>> > only what i need).
>> This is why each FreeBSD release is associated with at least:
>> * A "frozen" tag, like RELENG_6_0_RELEASE
>> * A security branch, like RELENG_6_0
>> * A stable branch, like RELENG_6
>> Changes go very fast in the CURRENT FreeBSD branch. After they settle
>> in for a while, soem of them are backported to the RELENG_X branch. The
>> RELENG_X branch changes much slower than the experimental, CURRENT
>> branch, but it does change every time a new feature is backported to
>> Then, when security fixes are made available, they are added both to the
>> RELENG_X branch and the RELENG_X_Y security branches.
>> If all you want is the "frozen" release sources plus changes that are
>> really really necessary, because they fix a serious security bug, you
>> probably want RELENG_X_Y (RELENG_6_0 in this case).
>> freebsd-questions at freebsd.org mailing list
>> To unsubscribe, send any mail to
>> "freebsd-questions-unsubscribe at freebsd.org"
> thank you kindly for your reply, that was quite informative. ive actually
> read the document on the differences between the stable, current, and
> (or whatever), and find that system quite confusing for the moment. im
> ill grasp the method of the madness eventually. i guess what confuses me,
> that i read about those, and then try to find them on the ftp sites. i
> assume, that only release is made into a .iso file? and to move to a
> version (either the security RELENG_6_0 or stable RELENG_6), you do this
> the cvsup tool.
Yes, as far as I can tell that is correct, it confused me at first. The
iso image is the latest release for each branch.
> so, by your descriptions and reply to my previous comments, my system that
> running what says 6.1-PRERELEASE is really RELENG_6 (stable) ?
Again correct. Don't forget 'stable' is not that stable it is a snapshot
of 'current' that is stable enough to be released.
> Jonathan Horne
The other confusing this is that the tags only realy refer to the
'userland' ie the core system. The ports get updated as and when.
On the system I am currently working on which will be a production server,
I don't whant too much change when in prodction so I am following the 6.0
branch at present (RELENG_6_0). I have portaudit installed which tells me
what ports have been updated through security issues and I can decide if I
need to update them. Apart from that I will probably leave it alone.
Hope this helps
More information about the freebsd-questions