Re: ports security branch
On Tuesday 20 December 2005 16:54, rihad wrote: Is there a security branch for the FreeBSD ports collection? No, there isn't. Let's say, I installed FreeBSD 6.0 together with all needed -RELEASE ports/packages (i.e., those on the CD). Running security/portaudit after a while reveals that some of the installed packages have vulnerabilities. Am I on my own to go grab the fresh ports tree, and upgrade the affected software, suffering all the intricacies of the move by myself? CVSUP Portupgrade or portupdate makes this process very simple, they manage all the intricacies for you. Check out Dru Lavigne's article on protupgrade for a simple portupgrade how-to: http://www.onlamp.com/pub/a/bsd/2003/08/28/FreeBSD_Basics.html I update my ports with it all the time and rarely have problems. If you only want to track security vulnerabilities, just portupgrade the ports that have vulnerabilities - that would be roughly equivalent to tracking a security branch. Debian GNU/Linux has its security package updates, OpenBSD has a separately maintained errata ports branch (it's very likely you still get to download a newer release of the software, though). Sorry if this is a bit OT. I've already asked this on freebsd-questions@ but they told me there's no such thing at all. Cheers, -- Ian gpg key: http://home.swiftdsl.com.au/~imoore/no-spam.asc pgpEFZiuYaARM.pgp Description: PGP signature
ports security branch
Is there a security branch for the FreeBSD ports collection? Let's say, I installed FreeBSD 6.0 together with all needed -RELEASE ports/packages. Running security/portaudit after a while reveals that some of the installed packages have vulnerabilities. Am I on my own to go grab the fresh ports tree, and upgrade the affected software, suffering all the intricacies of the move by myself? Debian GNU/Linux has its security package updates, OpenBSD has a separately maintained errata ports branch (you still get to download a newer release of the software, though (IIRC)). ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ports security branch
On Mon, Dec 19, 2005 at 06:56:25PM +0400, rihad wrote: Is there a security branch for the FreeBSD ports collection? No, the ports tree is not branched at all. Let's say, I installed FreeBSD 6.0 together with all needed -RELEASE ports/packages. Running security/portaudit after a while reveals that some of the installed packages have vulnerabilities. Am I on my own to go grab the fresh ports tree, and upgrade the affected software, suffering all the intricacies of the move by myself? Yes, although sysutils/portmanager can be of some help when upgrading your ports. Debian GNU/Linux has its security package updates, OpenBSD has a separately maintained errata ports branch (you still get to download a newer release of the software, though (IIRC)). -- Insert your favourite quote here. Erik Trulsson [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ports security branch
Andrea Venturoli wrote: rihad wrote: FreeBSD only has a current port tree. The port tree you call -RELEASE is simply current as it was at the time the base OS was released. Yes, wrong wording here. I was aware of that snapshot thing happening, just lazy to go check www.freebsd.org for the correct name. Thanks for the nitpick. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ports security branch
--On December 19, 2005 6:56:25 PM +0400 rihad [EMAIL PROTECTED] wrote: Is there a security branch for the FreeBSD ports collection? Let's say, I installed FreeBSD 6.0 together with all needed -RELEASE ports/packages. Running security/portaudit after a while reveals that some of the installed packages have vulnerabilities. Am I on my own to go grab the fresh ports tree, and upgrade the affected software, suffering all the intricacies of the move by myself? Debian GNU/Linux has its security package updates, OpenBSD has a separately maintained errata ports branch (you still get to download a newer release of the software, though (IIRC)). On your own, but not in the sense you may think. If you cvsup your ports (I do it nightly for all my servers), then you can simply run portupgrade and all the affected ports will be upgraded (assuming you use the right switches - I use -ai because I want to be able to decline to upgrade a port if it's going to affect a lot of people and then schedule it for later that same day or the next.) I'm not sure what you mean by suffering all the intricacies. Cvsup will fetch all the ports that have updates (assuming you use the right config - man is your friend), so you really don't have to do much except launch cvsup (if you haven't already scheduled it routinely) and then launch portupgrade once cvsup is done. When I set up a new server, one of the first things I do, before installing any applications, is run cvsup to update everything. Then I setup cvsup to run nightly, and only then to I begin installing whatever applications that particular server might need. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ports security branch
Paul Schmehl wrote: I'm not sure what you mean by suffering all the intricacies. Cvsup will fetch all the ports that have updates (assuming you use the right config - man is your friend), so you really don't have to do much except launch cvsup (if you haven't already scheduled it routinely) and then launch portupgrade once cvsup is done. When I set up a new server, one of the first things I do, before installing any applications, is run cvsup to update everything. Then I setup cvsup to run nightly, and only then to I begin installing whatever applications that particular server might need. I do a very similar thing only I don't cvsup/portupgrade frequently, I portaudit frequently and then cvsup/portupgrade on demand. This way is somewhat less intrusive, as there are frequently port version bumps available that are not security related and certainly not required for continuity of service. When first getting used to this stuff I thought it moderately burdensome compared to automatic binary updates, but I quickly came to understand the value of being able to choose exactly what, how and when to upgrade. All regrets soon faded. Intricacies and suffering? Sometimes yes, but not that frequently, and it's worth it. -- Greg Barniskis, Computer Systems Integrator South Central Library System (SCLS) Library Interchange Network (LINK) gregb at scls.lib.wi.us, (608) 266-6348 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ports security branch
Is there a security branch for the FreeBSD ports collection? Let's say, I installed FreeBSD 6.0 together with all needed -RELEASE ports/packages (i.e., those on the CD). Running security/portaudit after a while reveals that some of the installed packages have vulnerabilities. Am I on my own to go grab the fresh ports tree, and upgrade the affected software, suffering all the intricacies of the move by myself? Debian GNU/Linux has its security package updates, OpenBSD has a separately maintained errata ports branch (it's very likely you still get to download a newer release of the software, though). Sorry if this is a bit OT. I've already asked this on freebsd-questions@ but they told me there's no such thing at all. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]