From owner-freebsd-questions@FreeBSD.ORG Thu Oct 11 09:54:40 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8C6BB16A41B for ; Thu, 11 Oct 2007 09:54:40 +0000 (UTC) (envelope-from fbsd.questions@rachie.is-a-geek.net) Received: from snoogles.rachie.is-a-geek.net (rachie.is-a-geek.net [66.230.99.27]) by mx1.freebsd.org (Postfix) with ESMTP id 83D4A13C45B for ; Thu, 11 Oct 2007 09:54:40 +0000 (UTC) (envelope-from fbsd.questions@rachie.is-a-geek.net) Received: from localhost (localhost [127.0.0.1]) by snoogles.rachie.is-a-geek.net (Postfix) with ESMTP id 6EAA91CDFC for ; Thu, 11 Oct 2007 01:54:39 -0800 (AKDT) From: Mel To: freebsd-questions@freebsd.org Date: Thu, 11 Oct 2007 11:54:16 +0200 User-Agent: KMail/1.9.7 References: <687f2b920710102233ve746e2auece74d1e95486e73@mail.gmail.com> In-Reply-To: <687f2b920710102233ve746e2auece74d1e95486e73@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200710111154.16272.fbsd.questions@rachie.is-a-geek.net> Subject: Re: best way to update ports X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Oct 2007 09:54:40 -0000 On Thursday 11 October 2007 07:33:43 Bill Stwalley wrote: > I need your advice on how to update security patches for ports on a dozen > servers with minimal efforts. > > As I gathered, I should run portaudit in cron jobs and then manually update > the ports with vulnerabilities after reading UPDATING. Is this the best > way? Is this manual way feasible for managing a dozen servers? > > I used to run portupgrade in cron jobs, but that created too much > nightmare. For example, imap-uw broke for a few days recently. Use a tinderbox buildbox, specifically read the part on `Customizing the Environment' and `configuring port OPTIONS' at http://tinderbox.marcuscom.com/README.html The only problem left then is that you still need to manually deploy the binary packages to the servers in case of UPDATING woes. However with a bit of scripting, you can batch this on a case-by-case base. The good part is that you have all things on one machine, know when builds are broken before they get deployed and can test packages to see if they break your applications in a test environment. As a side note: portaudit has a periodic script that installs in /usr/local/etc/periodic/security - you can enable it in /etc/periodic.conf so it's part of the daily security report (I think it's even on by default). -- Mel