FreeBSD Patch question
Devon H. O'Dell
dodell at sitetronics.com
Sat Sep 27 14:18:43 PDT 2003
V. Jones wrote:
>Thanks to everyone who responded - my question really had more to do with applying patches as they are presented in the various security advisories. It sounds like most of you don't do it that way; it sounds like you track freebsd-stable using cvsup. However, section 21.2.2.2 of the handbook seems to advise against doing this when all you want to do is apply security fixes:
>
>"While it is true that security fixes also go into the FreeBSD-STABLE branch, you do not need to track FreeBSD-STABLE to do this. Every security advisory for FreeBSD explains how to fix the problem for the releases it affects [1] , and tracking an entire development branch just for security reasons is likely to bring in a lot of unwanted changes as well."
>
>My intention is to apply the patches as instructed in the advisories. I'll resolve my issues with pgp so that I can validate the files first, then apply them one at a time.
>
>
I do not track FreeBSD-STABLE (on my production boxes) and don't really
advise people running production servers to run the -STABLE branch.
FreeBSD-STABLE is another development branch; the stabilization branch,
as it were. The handbook advises against it because it's a development
branch and isn't meant for production servers. The most stable FreeBSD
you can get is a -RELEASE snapshot. All security advisories are tracked
for the -RELEASE snapshot. If you're tracking 4.8-RELEASE, you'd simply
have RELENG_4_8 in your supfile. This is, as far as I've been able to
tell in my past 5 years of experience with FreeBSD, the recommended way
of doing things.
Then again, I don't blame you for wanting to validate every patch :)
--Devon
More information about the freebsd-security
mailing list