Date: Tue, 28 Sep 2010 18:50:23 +0100 From: Mike Clarke <jmc-freebsd2@milibyte.co.uk> To: freebsd-questions@freebsd.org Cc: perryh@pluto.rain.com Subject: Re: Free BSD 8.1 Message-ID: <201009281850.23976.jmc-freebsd2@milibyte.co.uk> In-Reply-To: <4ca19305.qVDnt7/ifQhIrQ0c%perryh@pluto.rain.com> References: <20100926123019.GA41450@lpthe.jussieu.fr> <201009271016.26902.jmc-freebsd2@milibyte.co.uk> <4ca19305.qVDnt7/ifQhIrQ0c%perryh@pluto.rain.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday 28 September 2010, perryh@pluto.rain.com wrote: > Mike Clarke <jmc-freebsd2@milibyte.co.uk> wrote: [snip] > > The problem is if/when you need to update a port as a result of > > a security advisory. If your ports tree is very much out of date > > then it's likely that updating that one port will require a number > > of dependencies to be updated as well, sometimes all the ports > > depending on one or more of the updated dependencies need to be > > updated as well and the resultant bag of worms can take quite a > > lot of sorting out. The "little and often" approach of keeping > > the ports tree up to date could be less traumatic. > > and, in this context, your point is? > > I'm advocating starting from a stable and self-consistent baseline, > consisting of a release _and_ its corresponding port/package > collection, and then considering whether any updates are needed. > Isn't that orthogonal to the question of whether or not to follow > ports updates, once the baseline has been established? > _______________________________________________ Well I'd normally happy to stay with the original release state without having to have the "latest & greatest" version of each application but I prefer to update any ports which have been flagged by portaudit as having security vulnerabilities and this is when the problem could arise. Updating a single port in isolation without updating the ports tree can lead to problems with dependencies so you invariably need to update your ports tree and update the dependencies for the port in question. If, for example, you were to build a web server by installing 8.1-RELEASE and the matching package for apache you would have apache-2.2.15_9 which suffers from a remote DoS bug and should be upgraded to 2.2.16 <http://www.vuxml.org/freebsd/CVE-2010-1452.html>. As Warren Block has pointed out elsewhere in this thread there's usually a flurry of port updates when the ports tree is unfrozen just after a release so if you now update the ports tree and upgrade your ports there could be a large number of ports to upgrade, most of them can be upgraded quite painlessly with portmaster or portupgrade but you'd need to check /usr/ports/UPDATING to see if any of them needed special attention, fixing a single special case is usually quite straightforward but things sometimes get more complex when there's several. If on the other hand you installed the base system, updated your ports tree and then built what you needed from ports (or the latest packages) you'd get the latest versions without having to sort out any conflicts. If you wait a long time before a new vulnerability pushes you into doing your next upgrade then you'll still probably have quite a lot to sort out but updating small numbers of ports more frequently usually involves less work than an occasional mega upgrade. Well, that's just my 2 cents worth and it does depend on how many ports you have. A minimal server setup with few ports will probably not need very frequent port upgrades but something like a desktop could easily have 700 or more ports and it can be quite messy to upgrade your ports if it's been a long time since the last upgrade. -- Mike Clarke
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201009281850.23976.jmc-freebsd2>