Re: Security Updates and Patching Two Choices?
* Chuck Swiger <[EMAIL PROTECTED]> [2004-03-30 11:14]: > Giorgos Keramidas wrote: > >On 2004-03-29 15:07, Charles Swiger <[EMAIL PROTECTED]> wrote: > >>On Mar 29, 2004, at 2:28 PM, Sean Murphy wrote: > [ ... ] > >>>If a tag just the 4_9 Release in the CVSupfile can i just ignore the > >>>mergemaster? also can I just CVSup the sources and build the ones I > >>>want? (see above) > >> > >>Generally one can ignore doing the mergemaster simply for a security > >>patch. > > > >Unless, of course, the security patch fixes problems in /etc files that > >mergemaster *must* update. It's not very difficult to run mergemaster. > >I wouldn't recomment avoiding it altogether. [ ... ] > > Oh, I agree with you: I think mergemaster is a useful tool, and I don't > think it's very difficult to use. > > Reasonable people disagree, however. In particular, people who aren't > familiar with diff generally find mergemaster to be incomprehensible. :-) > >From a [relative] newbie; it's only incomprehensible the first time or two. -- Joshua A woman should have compassion. -- Kirk, "Catspaw", stardate 3018.2 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Security Updates and Patching Two Choices?
Giorgos Keramidas wrote: On 2004-03-29 15:07, Charles Swiger <[EMAIL PROTECTED]> wrote: On Mar 29, 2004, at 2:28 PM, Sean Murphy wrote: [ ... ] If a tag just the 4_9 Release in the CVSupfile can i just ignore the mergemaster? also can I just CVSup the sources and build the ones I want? (see above) Generally one can ignore doing the mergemaster simply for a security patch. Unless, of course, the security patch fixes problems in /etc files that mergemaster *must* update. It's not very difficult to run mergemaster. I wouldn't recomment avoiding it altogether. [ ... ] Oh, I agree with you: I think mergemaster is a useful tool, and I don't think it's very difficult to use. Reasonable people disagree, however. In particular, people who aren't familiar with diff generally find mergemaster to be incomprehensible. :-) -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Security Updates and Patching Two Choices?
On 2004-03-29 15:07, Charles Swiger <[EMAIL PROTECTED]> wrote: >On Mar 29, 2004, at 2:28 PM, Sean Murphy wrote: >>I don't want to build "all" sources when I just need these on my >>system (bin, man, and crypto). The same selection I use from a new >>install from /stand/sysinstall. Is that possible? > > If you look at /etc/default/make.conf for a bunch of components > starting with NO_, you can set those to get something close to what > you've asked for. Good idea :-) >> If a tag just the 4_9 Release in the CVSupfile can i just ignore the >> mergemaster? also can I just CVSup the sources and build the ones I >> want? (see above) > > Generally one can ignore doing the mergemaster simply for a security > patch. Unless, of course, the security patch fixes problems in /etc files that mergemaster *must* update. It's not very difficult to run mergemaster. I wouldn't recomment avoiding it altogether. Instead, I'd probably recommend one of two things, or both at the same time: a. Read the available documentation about /etc files. You don't have to learn all the (admittedly, mostly boring) details about every single file there is. Just skim through the manpages to get a general idea of what purpose each file serves. b. Install (almost blindly) all the files that mergemaster wants to "update", unless you are absolutely certain you have made manually some changes to the installed version. c. Merging the files which contain local changes is easy enough, as long as you spend a few moments to read the sdiff(1) manpage. This is the tool mergemaster uses to "merge" the files it updates. Please, do not skip running mergemaster :-) - Giorgos ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Security Updates and Patching Two Choices?
On Mar 29, 2004, at 2:28 PM, Sean Murphy wrote: I don't want to build "all" sources when I just need these on my system (bin, man, and crypto). The same selection I use from a new install from /stand/sysinstall. Is that possible? If you look at /etc/default/make.conf for a bunch of components starting with NO_, you can set those to get something close to what you've asked for. It seem the "makeworld" process is the only way to keep the system patched. Someone (Colin Percival?) has a binary updating system available for FreeBSD which might be easier for you to use. If a tag just the 4_9 Release in the CVSupfile can i just ignore the mergemaster? also can I just CVSup the sources and build the ones I want? (see above) Generally one can ignore doing the mergemaster simply for a security patch. Yes, you can use CVSup to update your local sources with the fix instead of applying a patch by hand. Using a tag of RELENG_4 (aka STABLE) or RELENG_4_9 (aka security branch of 4.9) should be what you want. -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Security Updates and Patching Two Choices?
On Monday 29 March 2004 01:28 pm, Sean Murphy wrote: > I would like to stay patched with the latest security advisories. > However usually I wait until the next release iso becomes available and > do a fresh install that includes all the known exploites. My reason > behind this is the "makeworld", "CVSup", and "mergemaster" is very time > consuming/complicated. "Mergemaster" especially when I'm merging /etc > files that I have no clue what they do. I also don't want "all" > sources compiled on my system. I like a minimized OS. I don't want to > build "all" sources when I just need these on my system (bin, man, and > crypto). The same selection I use from a new install from > /stand/sysinstall. Is that possible? Then perhaps freebsd-update is for you? (/usr/ports/security/freebsd-update) From the file pkg-descr: more pkg-descr This is the client half of the FreeBSD Update system; it fetches and applies binary security updates. WWW: http://www.daemonology.net/freebsd-update/ -- Best regards, Chris ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Security Updates and Patching Two Choices?
I would like to stay patched with the latest security advisories. However usually I wait until the next release iso becomes available and do a fresh install that includes all the known exploites. My reason behind this is the "makeworld", "CVSup", and "mergemaster" is very time consuming/complicated. "Mergemaster" especially when I'm merging /etc files that I have no clue what they do. I also don't want "all" sources compiled on my system. I like a minimized OS. I don't want to build "all" sources when I just need these on my system (bin, man, and crypto). The same selection I use from a new install from /stand/sysinstall. Is that possible? However in the "security advisories" the second option is to download this file and patch the existing source and do a "makeworld" here is an excerpt of the latest advisory --- a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:05/openssl.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:05/ openssl.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system as described in http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ makeworld.html >. --- It seem the "makeworld" process is the only way to keep the system patched. If a tag just the 4_9 Release in the CVSupfile can i just ignore the mergemaster? also can I just CVSup the sources and build the ones I want? (see above) Thanks in advance Sean Murphy [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"