Date: Mon, 31 Oct 2005 04:43:00 +0300 From: "Andrew P." <infofarmer@gmail.com> To: "Grigory O. Ptashko" <trancer@bk.ru> Cc: freebsd-questions@freebsd.org Subject: Re: Buildworld and Security advisories. Message-ID: <cb5206420510301743i647969a3j9d77bdf609186a3c@mail.gmail.com> In-Reply-To: <1087232230.20051031003352@bk.ru> References: <1087232230.20051031003352@bk.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10/31/05, Grigory O. Ptashko <trancer@bk.ru> wrote: > Hello, list. > > I am new to FreeBSD source upgrading/patching source tree system. > After reading the following chapters from the handbook: > > 14.14 FreeBSD Security Advisories > 20 The Cutting Edge (about rebuilding "world") > > I have some questions. > > 1) If I install a FreeBSD RELEASE on a machine what do I have to do to > patch all those bugs listed in FreeBSD Security Advisories? > Is it enough to synchronize my source tree with the STABLE branch or > do I have to get all patches and apply them manualy? > And if I must patch the source tree manualy do I have to do this after > synchronizing the source tree with STABLE or before? Or it doesn't > matter? > > In two words what are the relations between patching the bugs listed in > Advisories and the process of synchronizing the source tree of the > RELEASE with the STABLE? > > 2) How often should I synchronize sources with the STABLE? > > Currently I am working with 4.11 RELEASE. > > > Thanks! > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.o= rg" > To get all security fixes for your OS, you should do _one_ of the following: * patch manually and recompile - as stated in the SA * syncronize to the security branch, i.e. RELENG_4_11 or RELENG_5_4, and rebuild world/kernel * syncronize to the stable branch, i.e. RELENG_4, RELENG_5 or RELENG_6, and rebuild world/kernel * perform a binary upgrade You can use either way each time a SA is published, no matter what way you have used last time. For example you can perform a binary upgrade from RELEASE to 5.4-p1, then patch manually and recompile to 5.4-p2 then sync to stable, then sync to security branch and so on. Sometimes binary and manual upgrades leave uname output "old", but they always fix a security hole. Often, users manually patch systems where a reboot is very undesirable, sync to security branch on all mission-critical servers, where a reboot is possible, sync to stable on all other servers and use binary upgrades on systems that are very slow, or limited in other ways.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?cb5206420510301743i647969a3j9d77bdf609186a3c>