Re: Tracking Security in Ports and Base System
Donald J. O'Neill wrote: On Thursday 02 March 2006 13:59, Chris Hill wrote: On Wed, 1 Mar 2006, [EMAIL PROTECTED] wrote: [snip] Is my supfile correct to track security for freebsd-6.0? [snip] *default release=cvs tag=RELENG_6 [snip] As I understand it, that tag will get you the latest released version of 6.x. So today it would apply security and bugfix updates for 6.0, but after 6.1 comes out you would get 6.1, and so on. If you want to track 6.0 specifically, use RELENG_6_0. Right now there is no difference between RELENG_6 and RELENG_6_0, but later there will be. As everyone else has said, see the Handbook for definitive answers. HTH. -- Chris Hill [EMAIL PROTECTED] ** [ Busy Expunging <|> ] ___ This is not quite correct. "tag=RELENG_6" will give you the src for 6-STABLE, which is to say "FreeBSD 6.1 PRELEASE", or maybe its RELEASECANDIDATE now. tag=RELENG_6_0 will get you the sources for the 6.0 release branch, used only for security and other critical fixes. So yes, there is a difference between the two tags. Don Yep, that's what I figured out by trial and error (sometimes the best way to learn). ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Tracking Security in Ports and Base System
Chris Hill wrote: On Wed, 1 Mar 2006, [EMAIL PROTECTED] wrote: [snip] Is my supfile correct to track security for freebsd-6.0? [snip] *default release=cvs tag=RELENG_6 [snip] As I understand it, that tag will get you the latest released version of 6.x. So today it would apply security and bugfix updates for 6.0, but after 6.1 comes out you would get 6.1, and so on. If you want to track 6.0 specifically, use RELENG_6_0. Right now there is no difference between RELENG_6 and RELENG_6_0, but later there will be. As everyone else has said, see the Handbook for definitive answers. HTH. -- Chris Hill [EMAIL PROTECTED] ** [ Busy Expunging <|> ] Yep, I figured that out the hard way with my beta box. It is now at 6.1 -PRERELEASE. Oh, well. Can I downgrade without facing any problems? I changed my production server's sup file to 6_0 and that worked perfect. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Tracking Security in Ports and Base System
On Thursday 02 March 2006 16:23, Chris Hill wrote: > > > Sorry for the misinformation! You are right, RELENG_6 is equivalent > to -STABLE. I sit corrected. > > -- > Chris Hill [EMAIL PROTECTED] > ** [ Busy Expunging <|> ] That's ok Chris. I knew you really knew what you were talking about. It just didn't quite come out the way you meant. That's happened to me often enough. After I send something, actually as I'm in motion to hit the send, I realize too late, what I said was just a little off. Don ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Tracking Security in Ports and Base System
On Thu, 2 Mar 2006, Donald J. O'Neill wrote: On Thursday 02 March 2006 13:59, Chris Hill wrote: [some erroneous drivel] This is not quite correct. "tag=RELENG_6" will give you the src for 6-STABLE, which is to say "FreeBSD 6.1 PRELEASE", or maybe its RELEASECANDIDATE now. tag=RELENG_6_0 will get you the sources for the 6.0 release branch, used only for security and other critical fixes. So yes, there is a difference between the two tags. Sorry for the misinformation! You are right, RELENG_6 is equivalent to -STABLE. I sit corrected. -- Chris Hill [EMAIL PROTECTED] ** [ Busy Expunging <|> ] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Tracking Security in Ports and Base System
On Thursday 02 March 2006 13:59, Chris Hill wrote: > On Wed, 1 Mar 2006, [EMAIL PROTECTED] wrote: > > [snip] > > > Is my supfile correct to track security for freebsd-6.0? > > [snip] > > > *default release=cvs tag=RELENG_6 > > [snip] > > As I understand it, that tag will get you the latest released version > of 6.x. So today it would apply security and bugfix updates for 6.0, > but after 6.1 comes out you would get 6.1, and so on. If you want to > track 6.0 specifically, use RELENG_6_0. Right now there is no > difference between RELENG_6 and RELENG_6_0, but later there will be. > > As everyone else has said, see the Handbook for definitive answers. > > HTH. > > -- > Chris Hill [EMAIL PROTECTED] > ** [ Busy Expunging <|> ] > ___ This is not quite correct. "tag=RELENG_6" will give you the src for 6-STABLE, which is to say "FreeBSD 6.1 PRELEASE", or maybe its RELEASECANDIDATE now. tag=RELENG_6_0 will get you the sources for the 6.0 release branch, used only for security and other critical fixes. So yes, there is a difference between the two tags. Don ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Tracking Security in Ports and Base System
On Wed, 1 Mar 2006, [EMAIL PROTECTED] wrote: [snip] Is my supfile correct to track security for freebsd-6.0? [snip] *default release=cvs tag=RELENG_6 [snip] As I understand it, that tag will get you the latest released version of 6.x. So today it would apply security and bugfix updates for 6.0, but after 6.1 comes out you would get 6.1, and so on. If you want to track 6.0 specifically, use RELENG_6_0. Right now there is no difference between RELENG_6 and RELENG_6_0, but later there will be. As everyone else has said, see the Handbook for definitive answers. HTH. -- Chris Hill [EMAIL PROTECTED] ** [ Busy Expunging <|> ] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Tracking Security in Ports and Base System
Randy Pratt wrote: On Wed, 1 Mar 2006 14:31:55 -0800 (PST) Chris Maness <[EMAIL PROTECTED]> wrote: On Wed, 1 Mar 2006, Randy Pratt wrote: On Wed, 1 Mar 2006 10:09:51 -0800 (PST) [EMAIL PROTECTED] wrote: On Wed, 8 Feb 2006, Chris Maness wrote: How should I set up cvsup to just track security updates for ports. And would the best thing to do after I synced CVS, do portupgrade -a so that everything selected gets rebuilt. I'm not sure there is a way to do this for ports, other than manually checking what's been changed and whether you consider that to be a security upgrade, then upgrading each applicable port by hand. As far as I understand, there is only one tag for ports ("tag=."), which gets you the "current" ports tree. I *can* guarantee that others know more about this than I do. There is a port which does this for you (security/portaudit): portaudit provides a system to check if installed ports are listed in a database of published security vulnerabilities. After installation it will update this security database automatically and include its reports in the output of the daily security run. What is the equivalent for the base system? Much simpler: just track RELENG_your_release to get security updates and bug fixes and nothing else. For example, mine is RELENG_5_4 and therefore tracks 5.4-RELEASE. Additionally, I'd suggest subscribing to one of these mailing list so that you are notified when a SA is issued: [EMAIL PROTECTED] freebsd-announce@freebsd.org HTH, Randy -- Thanks, I do have port audit installed. I was refering to system security. The base system + FreeBSD userland. I wanted to do this because I did get a notice from the security list today. Do I do a make buildworld, to update the system? Do I do this in /usr/src ? The only thing that portaudit does is to apprise you of potential problems. You would need to update ports (/usr/ports) to fix those issues. I probably misunderstood your question. I'll attempt to go into more detail. Just so we're talking the same language, I call anything that is built/installed from /usr/src the 'base system'. Some people break this down into kernel+userland. Perhaps this is the userland to which you refer. I call anything built/installed from /usr/ports "third-party applications" or the "ports tree". Some people also call this userland applications. Each one is updated independent of the other. If you want to update the things from /usr/src (base system), refer to the Handbook (Chapter 21 The Cutting Edge ). In particular: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html It may appear complicated because of all the explanation given there and the different branches covered but its a pretty easy process once you work thru it. I suggest going through the document and make yourself a crib sheet. Here's an example of how one might look: cvsup -g -L 2 stable-supfile # READ this!! less /usr/src/UPDATING #If an old backup exists (/etc.old) remove it rm -rf /etc.old #Make a new backup of /etc cp -Rp /etc /etc.old adjkerntz -i cd /usr/obj chflags -R noschg * rm -rf * cd /usr/src make buildworld #Check custom kernel config for changes after cvsup #modify as needed. If using GENERIC kernel, just leave #off the "KERNCONF=CUSTOM" part. cd /usr/src make buildkernel KERNCONF=CUSTOM make installkernel KERNCONF=CUSTOM # need to be in single user mode at this point # either reboot to single user mode according to the handbook # or alternatively "shutdown now" according to the handbook cd /usr/src make installworld mergemaster reboot Please don't use the above as a substitute for reading the Handbook in detail and applying it to your own situation. In all cases, the Handbook takes precedence over the above. I also do not recommend using a scripted approach until you are comfortable with the process. Note that the preceeding does not update anyting that was installed from the ports tree (/usr/ports/...). The usual tool for doing ports updating is sysutils/portupgrade. A typical update would be like: #make sure dependencies are in order before starting #Fix any problems before starting an update. pkgdb -F #update the ports tree #Note that the ports tree uses only one tag "." #/usr/share/examples/cvsup/ports-supfile cvsup -g -L 2 ports-supfile #Read UPDATING less /usr/ports/UPDATING #Backup the package database tar-czvf /home/username/backup_dbpkg.tgz /var/db/pkg #Create a ports INDEX cd /usr/ports make index
Re: Tracking Security in Ports and Base System
On Wednesday 01 March 2006 16:31, Chris Maness wrote: > > Thanks, I do have port audit installed. I was refering to system > security. The base system + FreeBSD userland. I wanted to do this > because I did get a notice from the security list today. Do I do a > make buildworld, to update the system? Do I do this in /usr/src ? > ___ There are a couple of ways to do it. First, did you read the announcement? It tells you what the methods are that you can use. I suggest you start there and don't pay any attention to any other nonsense. Don ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Tracking Security in Ports and Base System
As an addendum: I forgot to mention that its a good idea when updating sources or ports to wrap the process in "script" so that you have a log of what was actually done. script /path/to/someplace_with_space/scriptname Then run the commands for the process involved. When you are finished then type "exit" to stop the "script" process. You will have a complete log of everything that was displayed. If you have any problems during an update, then people may ask for a log excerpt to see the actual problem. For more information on "script": man script HTH, Randy -- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Tracking Security in Ports and Base System
On Wed, 1 Mar 2006 14:31:55 -0800 (PST) Chris Maness <[EMAIL PROTECTED]> wrote: > > > On Wed, 1 Mar 2006, Randy Pratt wrote: > > > On Wed, 1 Mar 2006 10:09:51 -0800 (PST) > > [EMAIL PROTECTED] wrote: > > > >>> On Wed, 8 Feb 2006, Chris Maness wrote: > >>> > How should I set up cvsup to just track security updates for ports. And > >> would the best thing to do after I synced CVS, do portupgrade -a so > >> that everything selected gets rebuilt. > >>> > >>> I'm not sure there is a way to do this for ports, other than manually > >> checking what's been changed and whether you consider that to be a > >> security upgrade, then upgrading each applicable port by hand. As far as > >> I understand, there is only one tag for ports ("tag=."), which gets you > >> the "current" ports tree. I *can* guarantee that others know more about > >> this than I do. > > > > There is a port which does this for you (security/portaudit): > > > > portaudit provides a system to check if installed ports are > > listed in a database of published security vulnerabilities. > > > > After installation it will update this security database > > automatically and include its reports in the output of the > > daily security run. > > > What is the equivalent for the base system? > >>> > >>> Much simpler: just track RELENG_your_release to get security updates and > >> bug fixes and nothing else. For example, mine is RELENG_5_4 and > >>> therefore tracks 5.4-RELEASE. > > > > Additionally, I'd suggest subscribing to one of these mailing list so > > that you are notified when a SA is issued: > > > > [EMAIL PROTECTED] > > freebsd-announce@freebsd.org > > > > HTH, > > > > Randy > > -- > > > > Thanks, I do have port audit installed. I was refering to system > security. The base system + FreeBSD userland. I wanted to do this > because I did get a notice from the security list today. Do I do a make > buildworld, to update the system? Do I do this in /usr/src ? The only thing that portaudit does is to apprise you of potential problems. You would need to update ports (/usr/ports) to fix those issues. I probably misunderstood your question. I'll attempt to go into more detail. Just so we're talking the same language, I call anything that is built/installed from /usr/src the 'base system'. Some people break this down into kernel+userland. Perhaps this is the userland to which you refer. I call anything built/installed from /usr/ports "third-party applications" or the "ports tree". Some people also call this userland applications. Each one is updated independent of the other. If you want to update the things from /usr/src (base system), refer to the Handbook (Chapter 21 The Cutting Edge ). In particular: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html It may appear complicated because of all the explanation given there and the different branches covered but its a pretty easy process once you work thru it. I suggest going through the document and make yourself a crib sheet. Here's an example of how one might look: cvsup -g -L 2 stable-supfile # READ this!! less /usr/src/UPDATING #If an old backup exists (/etc.old) remove it rm -rf /etc.old #Make a new backup of /etc cp -Rp /etc /etc.old adjkerntz -i cd /usr/obj chflags -R noschg * rm -rf * cd /usr/src make buildworld #Check custom kernel config for changes after cvsup #modify as needed. If using GENERIC kernel, just leave #off the "KERNCONF=CUSTOM" part. cd /usr/src make buildkernel KERNCONF=CUSTOM make installkernel KERNCONF=CUSTOM # need to be in single user mode at this point # either reboot to single user mode according to the handbook # or alternatively "shutdown now" according to the handbook cd /usr/src make installworld mergemaster reboot Please don't use the above as a substitute for reading the Handbook in detail and applying it to your own situation. In all cases, the Handbook takes precedence over the above. I also do not recommend using a scripted approach until you are comfortable with the process. Note that the preceeding does not update anyting that was installed from the ports tree (/usr/ports/...). The usual tool for doing ports updating is sysutils/portupgrade. A typical update would be like: #make sure dependencies are in order before starting #Fix any problems before starting an update. pkgdb -F #update the ports tree #Note that the ports tree uses only one tag "." #/usr/share/examples/cvsup/ports-supfile cvsup -g -L 2 ports-supfile #Read UPDATING less /usr/ports/UPDATING #Backup the package database tar-czvf /home/username/backup_dbpkg.tgz /var/db/pkg #Create a por
Re: Tracking Security in Ports and Base System
On Wed, 1 Mar 2006, Randy Pratt wrote: On Wed, 1 Mar 2006 10:09:51 -0800 (PST) [EMAIL PROTECTED] wrote: On Wed, 8 Feb 2006, Chris Maness wrote: How should I set up cvsup to just track security updates for ports. And would the best thing to do after I synced CVS, do portupgrade -a so that everything selected gets rebuilt. I'm not sure there is a way to do this for ports, other than manually checking what's been changed and whether you consider that to be a security upgrade, then upgrading each applicable port by hand. As far as I understand, there is only one tag for ports ("tag=."), which gets you the "current" ports tree. I *can* guarantee that others know more about this than I do. There is a port which does this for you (security/portaudit): portaudit provides a system to check if installed ports are listed in a database of published security vulnerabilities. After installation it will update this security database automatically and include its reports in the output of the daily security run. What is the equivalent for the base system? Much simpler: just track RELENG_your_release to get security updates and bug fixes and nothing else. For example, mine is RELENG_5_4 and therefore tracks 5.4-RELEASE. Additionally, I'd suggest subscribing to one of these mailing list so that you are notified when a SA is issued: [EMAIL PROTECTED] freebsd-announce@freebsd.org HTH, Randy -- Thanks, I do have port audit installed. I was refering to system security. The base system + FreeBSD userland. I wanted to do this because I did get a notice from the security list today. Do I do a make buildworld, to update the system? Do I do this in /usr/src ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Tracking Security in Ports and Base System
On Wed, 1 Mar 2006 10:09:51 -0800 (PST) [EMAIL PROTECTED] wrote: > > On Wed, 8 Feb 2006, Chris Maness wrote: > > > >> How should I set up cvsup to just track security updates for ports. And > would the best thing to do after I synced CVS, do portupgrade -a so > that everything selected gets rebuilt. > > > > I'm not sure there is a way to do this for ports, other than manually > checking what's been changed and whether you consider that to be a > security upgrade, then upgrading each applicable port by hand. As far as > I understand, there is only one tag for ports ("tag=."), which gets you > the "current" ports tree. I *can* guarantee that others know more about > this than I do. There is a port which does this for you (security/portaudit): portaudit provides a system to check if installed ports are listed in a database of published security vulnerabilities. After installation it will update this security database automatically and include its reports in the output of the daily security run. > >> What is the equivalent for the base system? > > > > Much simpler: just track RELENG_your_release to get security updates and > bug fixes and nothing else. For example, mine is RELENG_5_4 and > > therefore tracks 5.4-RELEASE. Additionally, I'd suggest subscribing to one of these mailing list so that you are notified when a SA is issued: [EMAIL PROTECTED] freebsd-announce@freebsd.org HTH, Randy -- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Tracking Security in Ports and Base System
> On Wed, 8 Feb 2006, Chris Maness wrote: > >> How should I set up cvsup to just track security updates for ports. And would the best thing to do after I synced CVS, do portupgrade -a so that everything selected gets rebuilt. > > I'm not sure there is a way to do this for ports, other than manually checking what's been changed and whether you consider that to be a security upgrade, then upgrading each applicable port by hand. As far as I understand, there is only one tag for ports ("tag=."), which gets you the "current" ports tree. I *can* guarantee that others know more about this than I do. > >> What is the equivalent for the base system? > > Much simpler: just track RELENG_your_release to get security updates and bug fixes and nothing else. For example, mine is RELENG_5_4 and > therefore tracks 5.4-RELEASE. > > HTH. > > -- > Chris Hill [EMAIL PROTECTED] > ** [ Busy Expunging <|> ] > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > Is my supfile correct to track security for freebsd-6.0? # $FreeBSD: src/share/examples/cvsup/stable-supfile,v 1.29.2.1 2005/09/28 14:00:13 kensmith Exp $ # # This file contains all of the "CVSup collections" that make up the # FreeBSD-stable source tree. # # CVSup (CVS Update Protocol) allows you to download the latest CVS # tree (or any branch of development therefrom) to your system easily # and efficiently (far more so than with sup, which CVSup is aimed # at replacing). If you're running CVSup interactively, and are # currently using an X display server, you should run CVSup as follows # to keep your CVS tree up-to-date: # #cvsup stable-supfile # # If not running X, or invoking cvsup from a non-interactive script, then # run it as follows: # #cvsup -g -L 2 stable-supfile # # You may wish to change some of the settings in this file to better # suit your system: # # host=CHANGE_THIS.FreeBSD.org #This specifies the server host which will supply the #file updates. You must change it to one of the CVSup #mirror sites listed in the FreeBSD Handbook at #http://www.freebsd.org/doc/handbook/mirrors.html. #You canoverride this setting on the command line #with cvsup's "-h host" option. # # base=/var/db #This specifies the root where CVSup will store information #about the collections you have transferred to your system. #A setting of "/var/db" will generate this information in #/var/db/sup. Even if you are CVSupping a large number of #collections, you will be hard pressed to generate more than #~1MB of data in this directory. You can override the #"base" setting on the command line with cvsup's "-b base" #option. This directory must exist in order to run CVSup. # # prefix=/usr #This specifies where to place the requested files. A #setting of "/usr" will place all of the files requested #in "/usr/src" (e.g., "/usr/src/bin", "/usr/src/lib"). #The prefix directory must exist in order to run CVSup. # ### # # DANGER! WARNING! LOOK OUT! VORSICHT! # # If you add any of the ports or doc collections to this file, be sure to # specify them with a "tag" value set to ".", like this: # # ports-all tag=. # doc-all tag=. # # If you leave out the "tag=." portion, CVSup will delete all of # the files in your ports or doc tree. That is because the ports and doc # collections do not use the same tags as the main part of the FreeBSD # source tree. # ### # Defaults that apply to all the collections # # IMPORTANT: Change the next line to use one of the CVSup mirror sites # listed at http://www.freebsd.org/doc/handbook/mirrors.html. *default host=cvsup7.FreeBSD.org *default base=/var/db *default prefix=/usr # The following line is for 6-stable. If you want 5-stable, 4-stable, # 3-stable, or 2.2-stable, change to "RELENG_5", "RELENG_4", "RELENG_3", # or "RELENG_2_2" respectively. *default release=cvs tag=RELENG_6 *default delete use-rel-suffix # If you seem to be limited by CPU rather than network or disk bandwidth, try # commenting out the following line. (Normally, today's CPUs are fast enough # that you want to run compression.) *default compress ## Main Source Tree. # # The easiest way to get the main source tree is to use the "src-all" # mega-collection. It includes all of the individual "src-*" collections. # Please note: If you want to track -STABLE, leave this uncommented. src-all # These are the individual collections th
Re: Tracking Security in Ports and Base System
In the last episode (Feb 10), Andreas Davour said: > On Wed, 8 Feb 2006, Chuck Swiger wrote: > >Chris Maness wrote: > >>How should I set up cvsup to just track security updates for ports. > >>And would the best thing to do after I synced CVS, do portupgrade > >>-a so that everything selected gets rebuilt. > >> > >>What is the equivalent for the base system? > > > >The ports tree isn't branched; just get HEAD (aka ".") and you'll > >get the most current version with the most recent security updates. > >You might want to install security/portaudit, however, which is a > >very useful tool. > > Which makes me finally throw out a question I've been wondering > about. Is there no way of getting a specific tagged ports tree, if > you'd like to get a ports tree the way it looked when, say, > 4.6-RELEASE came out? Use a tag of RELEASE_4_6_0 . -- Dan Nelson [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Tracking Security in Ports and Base System
Andreas Davour wrote: > Which makes me finally throw out a question I've been wondering about. > Is there no way of getting a specific tagged ports tree, if you'd like > to get a ports tree the way it looked when, say, 4.6-RELEASE came out? Sure you can. Just edit your ports supfile to have: *default release=cvs tag=RELEASE_4_6_0 and re-cvsup. Note that the tags used in ports are disjoint from the tags used in the main system sources. Mix them up and you'll end up with a /usr/ports (or a /usr/src) with not a lot in it. There's also no guarantee that any of the distfiles referenced from a ports tree that old will still be available. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. Flat 3 7 Priory Courtyard PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW, UK signature.asc Description: OpenPGP digital signature
Re: Tracking Security in Ports and Base System
--On February 8, 2006 5:14:42 PM -0800 Chris Maness <[EMAIL PROTECTED]> wrote: Newbie question: How should I set up cvsup to just track security updates for ports. Install security/portaudit. You'll be notified daily regarding any ports that need security updates. And would the best thing to do after I synced CVS, do portupgrade -a so that everything selected gets rebuilt. I do portupgrade -ai. The last thing you want is to be caught by surprise when something is updated that you were not expecting. What is the equivalent for the base system? security/freebsd-update Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Tracking Security in Ports and Base System
Chris Maness writes: > I rebuilt all of the ports I had installed and it took > almost two days. I have 560+ installed; I feel your pain. Actually, no I don't. Use portaudit/portversion to identify those that need updating, and do some each morning. Unless you hit one of the monsters (java, mozilla, gnome, openoffice, etc.) it's less than an hour. Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Tracking Security in Ports and Base System
Chris Hill wrote: On Wed, 8 Feb 2006, Chris Maness wrote: Much simpler: just track RELENG_your_release to get security updates and bug fixes and nothing else. For example, mine is RELENG_5_4 and therefore tracks 5.4-RELEASE. Is there a way to rebuild just the packages updated? Or does the whole tree have to be rebuilt? The part you quoted was referring to the system, not ports/packages. Packages, by definition, are already built - you just install them. Rebuilding the ports tree is yet another matter. When you cvsup ports, you get the (possibly updated) Makefiles and so forth, but the tree that gets updated is only the structure of the /usr/ports hierarchy. No source is downloaded, and nothing gets rebuilt, until you do a portupgrade, or `make deinstall' followed by `make reinstall' for a particular port. My usual routine involves `portupgrade -aRr', but that only upgrades the ports that have changed; it doesn't rebuild *everything*. Again, if you're doing packages, there is no building involved. Hope this has been sufficiently obfuscated :^) Sorry, I am not using the correct lingo. I am cool on the ports now. I think I'll just have to figure out how to use portaudit, because I don't want to have to rebuild all 200+ packages I have installed on this production server. I just want to rebuild the ones that introduce security issues. I rebuilt all of the ports I had installed and it took almost two days. Thanks ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Tracking Security in Ports and Base System
On Wed, 8 Feb 2006, Chris Maness wrote: Much simpler: just track RELENG_your_release to get security updates and bug fixes and nothing else. For example, mine is RELENG_5_4 and therefore tracks 5.4-RELEASE. Is there a way to rebuild just the packages updated? Or does the whole tree have to be rebuilt? The part you quoted was referring to the system, not ports/packages. Packages, by definition, are already built - you just install them. Rebuilding the ports tree is yet another matter. When you cvsup ports, you get the (possibly updated) Makefiles and so forth, but the tree that gets updated is only the structure of the /usr/ports hierarchy. No source is downloaded, and nothing gets rebuilt, until you do a portupgrade, or `make deinstall' followed by `make reinstall' for a particular port. My usual routine involves `portupgrade -aRr', but that only upgrades the ports that have changed; it doesn't rebuild *everything*. Again, if you're doing packages, there is no building involved. Hope this has been sufficiently obfuscated :^) -- Chris Hill [EMAIL PROTECTED] ** [ Busy Expunging <|> ] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Tracking Security in Ports and Base System
Much simpler: just track RELENG_your_release to get security updates and bug fixes and nothing else. For example, mine is RELENG_5_4 and therefore tracks 5.4-RELEASE. Is there a way to rebuild just the packages updated? Or does the whole tree have to be rebuilt? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Tracking Security in Ports and Base System
Kris Kennaway wrote: On Wed, Feb 08, 2006 at 05:14:42PM -0800, Chris Maness wrote: Newbie question: How should I set up cvsup to just track security updates for ports. You can't, but you can track the entire thing and use portaudit to identify ports in need of security upgrade. Kris How would I keep from upgrading EVERYTHING when I track the whole tree. I just fixed a FreeBSD equivalent of DLL hell when I synced the tree. I now understand portupgrade -r so I can probably avoid that nasty expireience again. This is a production server, and I don't want to hose it up. Thanks for the Help Chris Maness ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Tracking Security in Ports and Base System
On Wed, 8 Feb 2006, Chris Maness wrote: How should I set up cvsup to just track security updates for ports. And would the best thing to do after I synced CVS, do portupgrade -a so that everything selected gets rebuilt. I'm not sure there is a way to do this for ports, other than manually checking what's been changed and whether you consider that to be a security upgrade, then upgrading each applicable port by hand. As far as I understand, there is only one tag for ports ("tag=."), which gets you the "current" ports tree. I *can* guarantee that others know more about this than I do. What is the equivalent for the base system? Much simpler: just track RELENG_your_release to get security updates and bug fixes and nothing else. For example, mine is RELENG_5_4 and therefore tracks 5.4-RELEASE. HTH. -- Chris Hill [EMAIL PROTECTED] ** [ Busy Expunging <|> ] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Tracking Security in Ports and Base System
On Wed, Feb 08, 2006 at 05:14:42PM -0800, Chris Maness wrote: > Newbie question: > > How should I set up cvsup to just track security updates for ports. You can't, but you can track the entire thing and use portaudit to identify ports in need of security upgrade. Kris pgpi5jSueovO1.pgp Description: PGP signature
Re: Tracking Security in Ports and Base System
Chris Maness wrote: > How should I set up cvsup to just track security updates for ports. And > would the best thing to do after I synced CVS, do portupgrade -a so that > everything selected gets rebuilt. > > What is the equivalent for the base system? The ports tree isn't branched; just get HEAD (aka ".") and you'll get the most current version with the most recent security updates. You might want to install security/portaudit, however, which is a very useful tool. Yes, doing a "portupgrade -ai" is a fine method for updating the ports once you have finished cvsup'ing. -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Tracking Security in Ports and Base System
Newbie question: How should I set up cvsup to just track security updates for ports. And would the best thing to do after I synced CVS, do portupgrade -a so that everything selected gets rebuilt. What is the equivalent for the base system? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"