From owner-freebsd-questions@FreeBSD.ORG Sat Sep 16 21:18:20 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 328AF16A40F for ; Sat, 16 Sep 2006 21:18:20 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.187.76.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id 416D943D70 for ; Sat, 16 Sep 2006 21:18:14 +0000 (GMT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from [IPv6:::1] (localhost [IPv6:::1]) by smtp.infracaninophile.co.uk (8.13.8/8.13.8) with ESMTP id k8GLHmtO065273; Sat, 16 Sep 2006 22:17:49 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) Authentication-Results: smtp.infracaninophile.co.uk from=m.seaman@infracaninophile.co.uk; sender-id=softfail; spf=softfail X-SenderID: Sendmail Sender-ID Filter v0.2.14 smtp.infracaninophile.co.uk k8GLHmtO065273 Message-ID: <450C69F6.8060000@infracaninophile.co.uk> Date: Sat, 16 Sep 2006 22:17:42 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 1.5.0.7 (X11/20060915) MIME-Version: 1.0 To: Bob References: <200609161541.38002.bob@tania.servebbs.org> In-Reply-To: <200609161541.38002.bob@tania.servebbs.org> X-Enigmail-Version: 0.94.0.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enigF92388574D0E38F933E5FBE3" X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (smtp.infracaninophile.co.uk [IPv6:::1]); Sat, 16 Sep 2006 22:18:09 +0100 (BST) X-Virus-Scanned: ClamAV 0.88.4/1887/Sat Sep 16 19:37:01 2006 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00, DKIM_POLICY_TESTING, NO_RELAYS autolearn=ham version=3.1.5 X-Spam-Checker-Version: SpamAssassin 3.1.5 (2006-08-29) on happy-idiot-talk.infracaninophile.co.uk Cc: freebsd-questions@freebsd.org Subject: Re: When is BuildWorld necessary? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Sep 2006 21:18:20 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigF92388574D0E38F933E5FBE3 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable Bob wrote: > Hi: >=20 > I recently installed FreeBSD 6.1 over the net from sources. I am keepi= ng=20 > things up-to-date using CVSup.=20 >=20 > When portaudit tells me I have a security issue; I update/re-install th= e=20 > affected port. When a kernel patch comes in, I re-compile the kernel; w= hich=20 > now stands at FreeBSD 6.1-RELEASE-p6 #3. >=20 > From what I can tell, buildworld re-builds the base system, something I= have=20 > yet to do. My thought is to do a buildworld only when the OS version i= s=20 > updated to the next number above 6.1. I understand this happens at abo= ut 4=20 > month intervals. >=20 > My question is, is there a good reason to buildworld before a version c= hange?=20 > I hate "fixing" something which is working perfectly, and this system = has=20 > been stellar! You can't assume that any patch release on a security branch is solely going to be to fix things in the kernel. More often than not, the=20 upgrade is to fix things in the userland. That means you have to recompile and re-install the affected software. Gennerally security advisories will tell you how to patch and update the specifically affected stuff. On the whole though, it always works to apply a full buildworld cycle as described in /usr/ports/UPDATING, and for certain security problems it's the only way to be sure the base system is rendered invulnerable[*]. Also it means the system version number gets bumped making it easy to identify what machines have been patched weeks or months down the line. If you haven't been rebuilding and re-installing world along with kernel as part of the update cycle, then there is a distinct possibility that you are still exposed eg. to the sendmail vulnerabilities from SA-06:17 o= r the ypserv problems from SA-06:15 or to various others. You will find that running the full buildworld procedure is a pretty smooth operation and if applied with due care and attention it is not at all difficult to get the system successfully updated nor is it hard to avoid foot-shooting while doing so. Cheers, Matthew [*] Where there is significant change of a vulnerability from the base system affecting 3rd party software from the ports or wherever, that should be discussed in the security advisories that come out, as well as what measures are necessary to provide a fix. --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enigF92388574D0E38F933E5FBE3 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFDGn88Mjk52CukIwRCDrCAJ9b4ek6V7haTuPpZcjTK8wm4RUIgQCfTCOI lKx1eWgVQYhPMUXuUzqlV2U= =LSWn -----END PGP SIGNATURE----- --------------enigF92388574D0E38F933E5FBE3--