Date: Sat, 16 Sep 2006 22:17:42 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Bob <bob@tania.servebbs.org> Cc: freebsd-questions@freebsd.org Subject: Re: When is BuildWorld necessary? Message-ID: <450C69F6.8060000@infracaninophile.co.uk> In-Reply-To: <200609161541.38002.bob@tania.servebbs.org> References: <200609161541.38002.bob@tania.servebbs.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigF92388574D0E38F933E5FBE3 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable Bob wrote: > Hi: >=20 > I recently installed FreeBSD 6.1 over the net from sources. I am keepi= ng=20 > things up-to-date using CVSup.=20 >=20 > When portaudit tells me I have a security issue; I update/re-install th= e=20 > affected port. When a kernel patch comes in, I re-compile the kernel; w= hich=20 > now stands at FreeBSD 6.1-RELEASE-p6 #3. >=20 > From what I can tell, buildworld re-builds the base system, something I= have=20 > yet to do. My thought is to do a buildworld only when the OS version i= s=20 > updated to the next number above 6.1. I understand this happens at abo= ut 4=20 > month intervals. >=20 > My question is, is there a good reason to buildworld before a version c= hange?=20 > I hate "fixing" something which is working perfectly, and this system = has=20 > been stellar! You can't assume that any patch release on a security branch is solely going to be to fix things in the kernel. More often than not, the=20 upgrade is to fix things in the userland. That means you have to recompile and re-install the affected software. Gennerally security advisories will tell you how to patch and update the specifically affected stuff. On the whole though, it always works to apply a full buildworld cycle as described in /usr/ports/UPDATING, and for certain security problems it's the only way to be sure the base system is rendered invulnerable[*]. Also it means the system version number gets bumped making it easy to identify what machines have been patched weeks or months down the line. If you haven't been rebuilding and re-installing world along with kernel as part of the update cycle, then there is a distinct possibility that you are still exposed eg. to the sendmail vulnerabilities from SA-06:17 o= r the ypserv problems from SA-06:15 or to various others. You will find that running the full buildworld procedure is a pretty smooth operation and if applied with due care and attention it is not at all difficult to get the system successfully updated nor is it hard to avoid foot-shooting while doing so. Cheers, Matthew [*] Where there is significant change of a vulnerability from the base system affecting 3rd party software from the ports or wherever, that should be discussed in the security advisories that come out, as well as what measures are necessary to provide a fix. --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enigF92388574D0E38F933E5FBE3 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFDGn88Mjk52CukIwRCDrCAJ9b4ek6V7haTuPpZcjTK8wm4RUIgQCfTCOI lKx1eWgVQYhPMUXuUzqlV2U= =LSWn -----END PGP SIGNATURE----- --------------enigF92388574D0E38F933E5FBE3--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?450C69F6.8060000>