Date: Fri, 29 Aug 2014 08:50:45 +0100 From: Arthur Chance <freebsd@qeng-ho.org> To: Mike Clarke <jmc-freebsd2@milibyte.co.uk>, freebsd-questions@freebsd.org, "William A. Mahaffey III" <wam@hiwaay.net> Subject: Re: Ports question .... Message-ID: <540030D5.2030409@qeng-ho.org> In-Reply-To: <1516592.A8M2VIF6ck@curlew.lan> References: <53FF8675.2070009@hiwaay.net> <53FF8860.8000405@gmail.com> <53FF8E28.2010308@hiwaay.net> <1516592.A8M2VIF6ck@curlew.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
On 28/08/2014 23:31, Mike Clarke wrote: > On Thursday 28 August 2014 15:16:40 William A. Mahaffey III wrote: > >> I think that is what I am asking .... To be more precise, how often >> should I check to see if it is updated, weekly, monthly, other .... >> I guess that is the nub of the question .... > > It's largely down to what's most convenient for you. > > There's a lot to be said for the "If it ain't broke don't mend it" > philosophy. If everything's working fine on your system and you don't > need the latest and greatest new feature recently added to one of your > ports then there's no real need to keep updating them. Agreed. I have a cron job that updates /usr/ports every week and mails me a diff between the previous and latest /usr/ports/UPDATING. If there's a security problem shown by pkg audit (see below) or if UPDATING shows a new feature I'd like to have, I upgrade, otherwise I tend to leave things alone. > If a port has just been updated to fix some freshly discovered > security issue then you need to upgrade it ASAP. Running the periodic > script from ports-mgmt/portaudit is a good way of being kept up to > date with new vulnerabilities affecting ports installed on your > system. If you're using pkgng you don't need to install a port to audit ports, the pkg system should be doing it automatically. Look at /usr/local/etc/periodic/security/410.pkg-audit This is controlled by the value of daily_status_security_pkgaudit_enable in /etc/periodic.conf but defaults to "YES" if not set. You can just type "pkg audit" at the command line as well. man pkg-audit for details. > There could be a delay before a new version of a vulnerable port is > available. You can check what the latest revision level of a port is > by looking it up at <http://www.freshports.org>. > > After running portsnap you can run "pkg version -vIL=" to see a list > of which ports have version numbers which differ from the latest. Again, this is dealt with by periodic. The weekly script 400.status-pkg (find it in /usr/local/etc/periodic/weekly) will tell you which packages are out of date. Enable it by weekly_status_pkg_enable="YES" in /etc/periodic.conf. It'll turn up on Saturdays. > You need to maintain all your ports in a consistent state, upgrading > just one port can lead to dependency problems so it's worth using > ports-mgmt/portmaster after running portsnap, this can upgrade all > affected ports. Personally I use poudriere for port building, but I run a very customised system so need to build all ports myself. > If you only upgrade your ports when required by security issues then > you may find that there are lots of ports with newer versions so, to > reduce the workload, you might prefer to upgrade rather more > frequently than waiting until a security issue requires it. Good advice. If I haven't upgraded in a couple of months, I'll usually do an upgrade anyway. There have been times when I've left things for longer and then had so many changes that it was easier to delete all packages and reinstall. I hope the new solver in pkg makes that less of a problem. > Sometimes you will need to give some ports individual attention before > running a bulk upgrade. Check for this by seeing if any of your ports > are mentioned in /usr/ports/UPDATING - you only need to check entries > dated later than the last time you did an upgrade and take whatever > action is advised there. > > If you pay attention to /usr/ports/UPDATING then portmaster will > usually upgrade all affected ports without problems but sometimes you > come across a situation that it can't handle and you might need to > deal with the problematic port yourself. >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?540030D5.2030409>