Free BSD 8.1
jmc-freebsd2 at milibyte.co.uk
Tue Sep 28 17:50:28 UTC 2010
On Tuesday 28 September 2010, perryh at pluto.rain.com wrote:
> Mike Clarke <jmc-freebsd2 at milibyte.co.uk> wrote:
> > The problem is if/when you need to update a port as a result of
> > a security advisory. If your ports tree is very much out of date
> > then it's likely that updating that one port will require a number
> > of dependencies to be updated as well, sometimes all the ports
> > depending on one or more of the updated dependencies need to be
> > updated as well and the resultant bag of worms can take quite a
> > lot of sorting out. The "little and often" approach of keeping
> > the ports tree up to date could be less traumatic.
> and, in this context, your point is?
> I'm advocating starting from a stable and self-consistent baseline,
> consisting of a release _and_ its corresponding port/package
> collection, and then considering whether any updates are needed.
> Isn't that orthogonal to the question of whether or not to follow
> ports updates, once the baseline has been established?
Well I'd normally happy to stay with the original release state without
having to have the "latest & greatest" version of each application but
I prefer to update any ports which have been flagged by portaudit as
having security vulnerabilities and this is when the problem could
arise. Updating a single port in isolation without updating the ports
tree can lead to problems with dependencies so you invariably need to
update your ports tree and update the dependencies for the port in
If, for example, you were to build a web server by installing
8.1-RELEASE and the matching package for apache you would have
apache-2.2.15_9 which suffers from a remote DoS bug and should be
upgraded to 2.2.16 <http://www.vuxml.org/freebsd/CVE-2010-1452.html>.
As Warren Block has pointed out elsewhere in this thread there's
usually a flurry of port updates when the ports tree is unfrozen just
after a release so if you now update the ports tree and upgrade your
ports there could be a large number of ports to upgrade, most of them
can be upgraded quite painlessly with portmaster or portupgrade but
you'd need to check /usr/ports/UPDATING to see if any of them needed
special attention, fixing a single special case is usually quite
straightforward but things sometimes get more complex when there's
several. If on the other hand you installed the base system, updated
your ports tree and then built what you needed from ports (or the
latest packages) you'd get the latest versions without having to sort
out any conflicts. If you wait a long time before a new vulnerability
pushes you into doing your next upgrade then you'll still probably have
quite a lot to sort out but updating small numbers of ports more
frequently usually involves less work than an occasional mega upgrade.
Well, that's just my 2 cents worth and it does depend on how many ports
you have. A minimal server setup with few ports will probably not need
very frequent port upgrades but something like a desktop could easily
have 700 or more ports and it can be quite messy to upgrade your ports
if it's been a long time since the last upgrade.
More information about the freebsd-questions