Questions about freebsd-update

Brandon J. Wandersee brandon.wandersee at
Mon Jul 13 20:45:28 UTC 2015

Quartz writes:

>>When you install Windows and a service pack, you can't stop in
>> the half of the service pack installation.
>> freebsd-update make the same thing like windows update, it will install
>> security updates.
> Well, sorta. With Windows or OSX or whatever you can get a list of all 
> the updates it wants to install and you can check/uncheck them 
> individually, and you can download a lot of the major 
> updates/KBs/service packs separately and install them offline if you 
> need to. I was hoping there was something similar for FreeBSD.

The analogy remains apt. When you update a Windows system, you do indeed
have the option to select which updates are installed and which are
withheld, but each of those updates is a single package comprising
multiple files. The same holds for freebsd-update: when you use it, you
get an update containing multiple files that have been modified with the
latest changes. The difference is that you don't get to install updates
1-3, 5, 7, and 10-13. You have to install all of them. This may be less
slightly less versatile than the Windows and OS X cases, but that's
irrelevant, because the design and development model of FreeBSD is
fundamentally different.

It seems to me that there are two roadblocks to understanding, here:
first, the behavior you describe--having multiple updates installed with
freebsd-update, without any choice in which ones get installed--will
only occur provided you do not update your system every time a FreeBSD
Security Advisory or Errata Notice is sent out. In such a case, when you
finally get around to updating the system, yes, every previous update
will be installed along with the latest one. The reasoning behind this
is, quite simply, that the only reason a x.x-RELEASE version of FreeBSD
gets updated is for major security and bug fixes, and since
freebsd-update is just a convenient way of getting security and bug
fixes on x.x-RELEASE versions, there's no reason to apply some updates
but not others. To put this another way: the updates you get with
freebsd-update are inherently conservative, and don't introduce any new,
untested features. *Only updates considered vital to a stable, secure
system are included.* All of the testing and experimentation takes place
in the -STALBE and -CURRENT branches, which cannot be updated via
freebsd-update anyway.

The only way to avoid a bulk update is to track the releng/* or stable/*
branch of your version of FreeBSD (such as releng/10), manually update
your local source repository to whichever commit you wish to test, and
rebuild world. This brings up the second possible barrier to
understanding: even supposing you updated your system by rebuilding
world from source one commit at a time, you still wouldn't have absolute
control over everything that got updated, because a single commit to the
FreeBSD source tree could contain changes to multiple, unrelated facets
of the system. So even a single commit could still function much the
same way a freebsd-update distribution would: multiple files from
multiple facets of the system being updated simultaneously. There's
simply no way to get control over every single aspect of the system
short of manually patching every single file.

Again, though, in the case of releng/* branches, the updates are
inherently conservative: only those things immediately necessary to
maintaining or enhancing security and stability are changed. So not only
is there no greatly compelling reason to apply individual updates via
freebsd-update, but the only compelling reason to build from source is
to control the components installed with the base system via
src.conf(5). In either case, the only updates to the base system you'll
receive are those you really shouldn't be passing up anyway, and which
shouldn't have any profound effect on how third-party applications
function on the system.

   		      :: Brandon Wandersee ::
                  :: brandon.wandersee at ::
'A common mistake that people make when trying to design something
completely foolproof is to underestimate the ingenuity of complete
                            			- Douglas Adams

More information about the freebsd-questions mailing list