Chris wrote:

Excellent and detailed information. I read the handbook and Complete FreeBSD but couldn't grasp the relationship between CURRENT, STABLE, and RELEASE and the cvsup tags definitively. This is important when buying new hardware running ahead of RELEASE changes (e.g. the Broadcom 5704). Last time (a then leading edge server with a U320 Adaptec controller), I manually updated the driver source just to get it to production and made my source out of sync and then feared cvsuping further. I think you've given me, in a nutshell, how to do this more responsibly. Let me take a shot at it for posterity.

RELENG = The official release versions; as well tested as things come. Only get security patches. CURRENT = The very bleeding edge. Updated often. Not recommended for any critical machine. STABLE = Changes that have run well in CURRENT, fix problems or improve performance etc, and are things which will form part of the next RELEASE. Bugs and other issues much less likely than CURRENT.

So developed software generally goes from CURRENT (when tested) -> STABLE -> next RELENG.

But, not all software in CURRENT automatically goes to STABLE. CURRENT (right now) is what will be RELENG_7_0, and not all changes there will be suitable for 6.

1. Take the machine to STABLE via RELENG_6, if it tests reliably, go production and freeze
2. security patch through the .asc file patches until RELEASE 6.2
3. cvsup to RELEASE 6.2 aka RELENG_6_2 (when available and if needed hardware changes were indeed incorporated) 4. given no hardware additions, continue to cvsup on RELENG_6_2_0 for Security Patches for server life-cycle

This should work fine. In step 4, you can consider upgrading from RELENG_6_2 to RELENG_6_3 etc etc, obviously testing. The more critical a machine, however, the less likely you are to want to do that. If you have any kind of farm, then keeping identical hardware and using one machine as a test bed for any upgrades is also a possible scenario. The farm can be as small as two machines - one a backup for the other, but also usable for testing upgrades.

I think it would be technically possible (if unlikely), that a security patch for STABLE might not apply cleanly if you are not running the latest STABLE. In such a case, you might again have to bite the bullet and update to the latest STABLE and test again. This is only likely to happen if the bug is some kind of kernel internal, and even then only if some other code for it in STABLE has changed since you did your upgrade. As I say, I think this would be unlikely.

Depending on what the machine in question actually does, how it is firewalled etc, it might be that you don't even bother to apply a security patch. (No doubt some will shout when I say that), but you have to analyse what risk the security whole actually poses to *your machine*. You could always seek advice here if such an issue arises,

I think a light is clicking on.

Thanks VERY much,

You're welcome.


_______________________________________________ mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to