Free BSD 8.1

Mike Clarke jmc-freebsd2 at milibyte.co.uk
Tue Sep 28 17:50:28 UTC 2010


On Tuesday 28 September 2010, perryh at pluto.rain.com wrote:

> Mike Clarke <jmc-freebsd2 at milibyte.co.uk> wrote:

[snip]

> > The problem is if/when you need to update a port as a result of
> > a security advisory. If your ports tree is very much out of date
> > then it's likely that updating that one port will require a number
> > of dependencies to be updated as well, sometimes all the ports
> > depending on one or more of the updated dependencies need to be
> > updated as well and the resultant bag of worms can take quite a
> > lot of sorting out.  The "little and often" approach of keeping
> > the ports tree up to date could be less traumatic.
>
> and, in this context, your point is?
>
> I'm advocating starting from a stable and self-consistent baseline,
> consisting of a release _and_ its corresponding port/package
> collection, and then considering whether any updates are needed.
> Isn't that orthogonal to the question of whether or not to follow
> ports updates, once the baseline has been established?
> _______________________________________________

Well I'd normally happy to stay with the original release state without 
having to have the "latest & greatest" version of each application but 
I prefer to update any ports which have been flagged by portaudit as 
having security vulnerabilities and this is when the problem could 
arise. Updating a single port in isolation without updating the ports 
tree can lead to problems with dependencies so you invariably need to 
update your ports tree and update the dependencies for the port in 
question.

If, for example, you were to build a web server by installing 
8.1-RELEASE and the matching package for apache you would have 
apache-2.2.15_9 which suffers from a remote DoS bug and should be 
upgraded to 2.2.16 <http://www.vuxml.org/freebsd/CVE-2010-1452.html>. 
As Warren Block has pointed out elsewhere in this thread there's 
usually a flurry of port updates when the ports tree is unfrozen just 
after a release so if you now update the ports tree and upgrade your 
ports there could be a large number of ports to upgrade, most of them 
can be upgraded quite painlessly with portmaster or portupgrade but 
you'd need to check /usr/ports/UPDATING to see if any of them needed 
special attention, fixing a single special case is usually quite 
straightforward but things sometimes get more complex when there's 
several. If on the other hand you installed the base system, updated 
your ports tree and then built what you needed from ports (or the 
latest packages) you'd get the latest versions without having to sort 
out any conflicts. If you wait a long time before a new vulnerability 
pushes you into doing your next upgrade then you'll still probably have 
quite a lot to sort out but updating small numbers of ports more 
frequently usually involves less work than an occasional mega upgrade.

Well, that's just my 2 cents worth and it does depend on how many ports 
you have. A minimal server setup with few ports will probably not need 
very frequent port upgrades but something like a desktop could easily 
have 700 or more ports and it can be quite messy to upgrade your ports 
if it's been a long time since the last upgrade.

-- 
Mike Clarke


More information about the freebsd-questions mailing list