Re: How is the patchlevel set?

2005-07-01 Thread Jonathan Noack 

On 06/30/05 15:47, lars wrote:

I can't seem to find out how the patchlevel is set.

Is it incremented with each SA's patch, kernel or world,
or only kernel or only world?

Could anyone point me to some documentation by the FreeBSD project?

I know this is the stable list, but I don't want to subscribe to
one more list just for this question.


The patch level is set in src/sys/conf/newvers.sh.  I believe this means 
that it is only updated after rebuilding the kernel (see 'sysctl 
kern.version').


I have often applied patches from Security Advisories and rebuilt only 
what was necessary instead of world/kernel.  With a userland 
vulnerability, this is often the most expedient and unintrusive method. 
 However, the new patch level is not set this way so you have to 
document the update for yourself.  On client machines I sometimes do the 
full world/kernel rebuild and schedule a reboot just to avoid questions 
about whether the machine is up-to-date.


--
Jonathan Noack | [EMAIL PROTECTED] | OpenPGP: 0x991D8195


signature.asc
Description: OpenPGP digital signature

Re: How is the patchlevel set?

2005-07-01 Thread lars 

Thanks guys.

It seems
src/sys/conf/newvers.sh
is only triggered by a recompilation of the kernel,
at least the lines
i=`${MAKE:-make} -V KERN_IDENT`
and
char kern_ident[] = ${i};
make me believe that.

I also try to cvsup my src and recompile the kernel and world
in one go instead of only patching and recompiling the subsystem,
since that bumps the patchlevel and keeps all synchronised.
That's not possible in all scenarios, of course.

Again thanks for the answers, but how did you find that out?

Kind regards,
lars.
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: How is the patchlevel set?

2005-07-01 Thread Jonathan Noack 

On 7/1/2005 11:36 AM, lars wrote:

It seems
src/sys/conf/newvers.sh
is only triggered by a recompilation of the kernel,
at least the lines
i=`${MAKE:-make} -V KERN_IDENT`
and
char kern_ident[] = ${i};
make me believe that.

I also try to cvsup my src and recompile the kernel and world
in one go instead of only patching and recompiling the subsystem,
since that bumps the patchlevel and keeps all synchronised.
That's not possible in all scenarios, of course.

Again thanks for the answers, but how did you find that out?


I originally suspected as much based on experience.  I got curious and 
noticed that newvers.sh was one of the files changed with every security 
update.  From there it was code inspection...


--
Jonathan Noack | [EMAIL PROTECTED] | OpenPGP: 0x991D8195



signature.asc
Description: OpenPGP digital signature