From owner-freebsd-security@FreeBSD.ORG  Tue Jan  6 20:03:59 2015
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id F1BDCF08
 for <freebsd-security@freebsd.org>; Tue,  6 Jan 2015 20:03:59 +0000 (UTC)
Received: from mx5.roble.com (mx5.roble.com [206.40.34.5])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 3E94567B6E
 for <freebsd-security@freebsd.org>; Tue,  6 Jan 2015 19:59:39 +0000 (UTC)
Received: from secure.postconf.com (mx5.roble.com [206.40.34.5])
 by mx5.roble.com (Postfix) with ESMTP id 86C6F67836;
 Tue,  6 Jan 2015 11:59:32 -0800 (PST)
In-Reply-To: <86y4plgjnm.fsf@nine.des.no>
References: <20141223233310.098C54BB6@nine.des.no>
 <86h9wln9nw.fsf@nine.des.no> <549A5492.6000503@grosbein.net>
 <868uhx43i5.fsf@nine.des.no> <20141226200838.DE83DACE@hub.freebsd.org>
 <8661cy9jim.fsf@nine.des.no> <20141231195427.AECE022B@hub.freebsd.org>
 <86y4plgjnm.fsf@nine.des.no>
Date: Tue, 6 Jan 2015 11:59:32 -0800
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:31.ntp
From: "Roger Marquis" <marquis@roble.com>
To: =?iso-8859-1?Q?=22Dag-Erling_Sm=C3=B8rgrav=22?= <des@des.no>
Reply-To: marquis@roble.com
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jan 2015 20:04:00 -0000

> DES wrote:
> I do it all the time:
> $ sudo env UNAME_r=X.Y-RELEASE freebsd-update fetch install

Not sure if using a jail to test is relevant but this never updates (my)
binaries to the specified RELEASE/RELENG, only to the current kernel's patch
level.

Then there's the issue of specifying -RELEASE to mean -RELENG.

> Not sure what you mean by scope issues.

That's referring back to the original question of buildworld/installworld vs
"cd /usr/src/path/to/patched/binary;make install" (vs freebsd-update) and the
granularity of respective updates.

> Actually, you want to do this from *outside* the jail, partly out of
> healthy paranoia and partly so freebsd-update will re-use previously
> downloaded indexes and patches

Updates to non-jailed environments are the preferred method to be sure but
patching and testing base updates in a jail can be more convenient.

Roger