Date: Sat, 8 Apr 2006 07:47:16 +0100 (BST) From: bsd@bathnetworks.com To: "Jonathan Horne" <freebsd@dfwlp.com> Cc: freebsd-questions@freebsd.org Subject: Re: a few questions and concepts Message-ID: <1180.192.168.0.107.1144478836.squirrel@192.168.0.50> In-Reply-To: <200604071911.49662.freebsd@dfwlp.com> References: <43461.208.11.134.3.1144443260.squirrel@mail.dfwlp.com> <20060407213423.GB96006@gothmog.pc> <200604071911.49662.freebsd@dfwlp.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Friday 07 April 2006 16:34, Giorgos Keramidas wrote: >> On 2006-04-07 15:54, Jonathan Horne <freebsd@dfwlp.com> wrote: >> > im still pretty new to freebsd. ive been playing around with the >> cvsup >> > tools, and they are quite fascinating. >> > >> > i changed my production server from Fedora to FreeBSD 6.0, about 1 day >> > before the most recent sendmail exploit was published (well, published >> on >> > freebsd.org anyway). >> >> Murphy at work, again, eh? :) >> >> > i did download the patch and recompile it, but as some have also noted >> > on this list, that it still banners as 8.13.4 when you telnet to it. >> > >> > so, the past couple of days, i have learned to cvsup my /usr/src >> > directories. ive just been using the standard copy of the >> > stable-supfile. i have learned that if i perform the sendmail >> recompile >> > after the cvsup, that it sendmail seems to proclaim 8.13.6 in the >> banner. >> > on top of that, i have learned that if i recompile the kernel after >> > cvsup, that it no longer says FreeBSD 6.0-RELEASE, but FreeBSD >> > 6.1-PRERELEASE. >> >> You are running RELENG_6 now, which is much more recent than >> RELENG_6_0_RELEASE. >> >> The first one is the top of the 6.X branch, which changes moderately >> slow, but it *does* change. The 6.0-RELEASE source tree is "frozen in >> time" at the point the tag was placed on the source tree. >> >> > my questions: >> > 1) after cvsup, i think i can assume that sendmail is now compiling >> from >> > sourcecode that should definatly be free from the current exploit. i >> > would also assume that anything that i would need to recompile from >> > /usr/src should also see the benefit of 'latest source code'? >> >> Yes, both true. >> >> > 2) on a production server, should i avoid recompiling a kernel that >> will >> > be FreeBSD 6.1-PRERELEASE? on the whole, how reliable is the bulk of >> > these newer sources that were pulled down by cvsup? >> >> In general, if you a bit paranoid, you should avoid running RELENG_6 on >> a production system. At least until you have thoroughly tested it on a >> "test system" and found everything working as expected. >> >> > i can definatly see the benefits of using cvsup to take care of >> > problem with some things (like sendmail), but allowing it to update >> > everything under the /usr/src tree, im wondering if i could be setting >> > myself up for issues (by not editing the stable-supfile and taking >> > only what i need). >> >> This is why each FreeBSD release is associated with at least: >> >> * A "frozen" tag, like RELENG_6_0_RELEASE >> >> * A security branch, like RELENG_6_0 >> >> * A stable branch, like RELENG_6 >> >> Changes go very fast in the CURRENT FreeBSD branch. After they settle >> in for a while, soem of them are backported to the RELENG_X branch. The >> RELENG_X branch changes much slower than the experimental, CURRENT >> branch, but it does change every time a new feature is backported to >> RELENG_X. >> >> Then, when security fixes are made available, they are added both to the >> RELENG_X branch and the RELENG_X_Y security branches. >> >> If all you want is the "frozen" release sources plus changes that are >> really really necessary, because they fix a serious security bug, you >> probably want RELENG_X_Y (RELENG_6_0 in this case). >> >> Regards, >> Giorgos >> >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to >> "freebsd-questions-unsubscribe@freebsd.org" > > thank you kindly for your reply, that was quite informative. ive actually > read the document on the differences between the stable, current, and > release > (or whatever), and find that system quite confusing for the moment. im > sure > ill grasp the method of the madness eventually. i guess what confuses me, > is > that i read about those, and then try to find them on the ftp sites. i > assume, that only release is made into a .iso file? and to move to a > higher > version (either the security RELENG_6_0 or stable RELENG_6), you do this > thru > the cvsup tool. Yes, as far as I can tell that is correct, it confused me at first. The iso image is the latest release for each branch. > > so, by your descriptions and reply to my previous comments, my system that > is > running what says 6.1-PRERELEASE is really RELENG_6 (stable) ? > Again correct. Don't forget 'stable' is not that stable it is a snapshot of 'current' that is stable enough to be released. > thanks, > Jonathan Horne The other confusing this is that the tags only realy refer to the 'userland' ie the core system. The ports get updated as and when. On the system I am currently working on which will be a production server, I don't whant too much change when in prodction so I am following the 6.0 branch at present (RELENG_6_0). I have portaudit installed which tells me what ports have been updated through security issues and I can decide if I need to update them. Apart from that I will probably leave it alone. Hope this helps Rob
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1180.192.168.0.107.1144478836.squirrel>