Date: Sat, 16 Sep 2006 22:17:42 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Bob <bob@tania.servebbs.org> Cc: freebsd-questions@freebsd.org Subject: Re: When is BuildWorld necessary? Message-ID: <450C69F6.8060000@infracaninophile.co.uk> In-Reply-To: <200609161541.38002.bob@tania.servebbs.org> References: <200609161541.38002.bob@tania.servebbs.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigF92388574D0E38F933E5FBE3
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: quoted-printable
Bob wrote:
> Hi:
>=20
> I recently installed FreeBSD 6.1 over the net from sources. I am keepi=
ng=20
> things up-to-date using CVSup.=20
>=20
> When portaudit tells me I have a security issue; I update/re-install th=
e=20
> affected port. When a kernel patch comes in, I re-compile the kernel; w=
hich=20
> now stands at FreeBSD 6.1-RELEASE-p6 #3.
>=20
> From what I can tell, buildworld re-builds the base system, something I=
have=20
> yet to do. My thought is to do a buildworld only when the OS version i=
s=20
> updated to the next number above 6.1. I understand this happens at abo=
ut 4=20
> month intervals.
>=20
> My question is, is there a good reason to buildworld before a version c=
hange?=20
> I hate "fixing" something which is working perfectly, and this system =
has=20
> been stellar!
You can't assume that any patch release on a security branch is solely
going to be to fix things in the kernel. More often than not, the=20
upgrade is to fix things in the userland.
That means you have to recompile and re-install the affected software.
Gennerally security advisories will tell you how to patch and update
the specifically affected stuff. On the whole though, it always works
to apply a full buildworld cycle as described in /usr/ports/UPDATING,
and for certain security problems it's the only way to be sure the base
system is rendered invulnerable[*]. Also it means the system version
number gets bumped making it easy to identify what machines have been
patched weeks or months down the line.
If you haven't been rebuilding and re-installing world along with kernel
as part of the update cycle, then there is a distinct possibility that
you are still exposed eg. to the sendmail vulnerabilities from SA-06:17 o=
r
the ypserv problems from SA-06:15 or to various others.
You will find that running the full buildworld procedure is a pretty
smooth operation and if applied with due care and attention it is not
at all difficult to get the system successfully updated nor is it
hard to avoid foot-shooting while doing so.
Cheers,
Matthew
[*] Where there is significant change of a vulnerability from the base
system affecting 3rd party software from the ports or wherever, that
should be discussed in the security advisories that come out, as well
as what measures are necessary to provide a fix.
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
--------------enigF92388574D0E38F933E5FBE3
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFDGn88Mjk52CukIwRCDrCAJ9b4ek6V7haTuPpZcjTK8wm4RUIgQCfTCOI
lKx1eWgVQYhPMUXuUzqlV2U=
=LSWn
-----END PGP SIGNATURE-----
--------------enigF92388574D0E38F933E5FBE3--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?450C69F6.8060000>