FreeBSD Patch question

Thu Sep 25 12:53:58 PDT 2003

V. Jones wrote:

>I administer a remote server and want to apply some of the security patches.  (I assume this is the best way to go since I can't go into single-user mode to use CVsup).
>  
>
First: you can update your system without booting into single-user mode. 
I hope I don't get chewed out for suggesting this, but if there's nobody 
physically *at* your server to do the update for you, you're going to 
have to do it yourself (see below).

>I have a couple of questions.  First, I have installed one of the pgp ports to verify the patches.  When I run it, I get this message:
>
>  
>
>>File 'buffer46.patch.asc' has signature, but with no text.
>>Text is assumed to be in file 'buffer46.patch'.
>>signature not checked.
>> Signature made 2003/09/17 18:02 GMT
>> key does not meet validity threshold.
>>    
>>
> 
>  
>
>>WARNING:  Because this public key is not certified with a trusted
>>signature, it is not known with high confidence that this public key
>>actually belongs to: "(KeyID: 0xCA6CDFB2)".
>>    
>>
>
>I guess that I need to do some additional set up to get pgp to validate this file.  Can anyone tell me where to find a howto on this subject or tell me what to do?
>  
>
Sure. IIRC, this just means that you've not marked the person's (KeyID: 
0xCA6CDFB2) signature as trusted. You'll need to connect to a keyserver 
and download the information about the person with KeyID: 0xCA6CDFB2. If 
you trust that you've the right data, you can mark said person as trusted.

>Second, Do I have apply each patch, then run make after each patch, or can I apply all the patches and just run make once?
>
>Any other advice or suggestions on updating a remote system would be appreciated.
>  
>
You can apply all the patches and run make one time. If you're not 
interested in rebuilding the entire userland (and you're not installing 
newer versions of userland utilities that rely on an updated kernel), 
you can just run cvsup, download the source, and run make from within 
the desired directories.

The handbook recommends that one drop into single user mode to build the 
world. While this is certainly best practice, it is by no means 
absolutely necessary. I administer several servers in up to nine time 
zones away from me and, whenever there's a security advisory, I either

a) rebuild the entire userland and kernel if I've found enough things I 
need to change/tune at kernel level, or
b) rebuild and install the affected patches (which may actually cause 
option a -- rebuilding the world -- to be a necessity).

Again, building the world under single-user mode is a highly suggested 
best practice. It is by no means absolutely necessary and I've been 
doing it for a good while with no problems (never had a problem with 
it). I'd be glad to help you out with it privately, if you so wish.

--Devon