Bob wrote:
> Hi:
> I recently installed FreeBSD  6.1 over the net from sources. I am keeping 
> things up-to-date using CVSup. 
> When portaudit tells me I have a security issue; I update/re-install the 
> affected port. When a kernel patch comes in, I re-compile the kernel; which 
> now stands at FreeBSD 6.1-RELEASE-p6 #3.
> From what I can tell, buildworld re-builds the base system, something I have 
> yet to do. My thought is to do a buildworld only  when the OS version is 
> updated to the next number above 6.1.  I understand this happens at about 4 
> month intervals.
> My question is, is there a good reason to buildworld before a version change? 
> I hate "fixing"  something which is working perfectly, and this system has 
> been stellar!

You can't assume that any patch release on a security branch is solely
going to be to fix things in the kernel.  More often than not, the 
upgrade is to fix things in the userland.

That means you have to recompile and re-install the affected software.
Gennerally security advisories will tell you how to patch and update
the specifically affected stuff.  On the whole though, it always works
to apply a full buildworld cycle as described in /usr/ports/UPDATING,
and for certain security problems it's the only way to be sure the base
system is rendered invulnerable[*].  Also it means the system version
number gets bumped making it easy to identify what machines have been
patched weeks or months down the line.

If you haven't been rebuilding and re-installing world along with kernel
as part of the update cycle, then there is a distinct possibility that
you are still exposed eg. to the sendmail vulnerabilities from SA-06:17 or
the ypserv problems from SA-06:15 or to various others.

You will find that running the full buildworld procedure is a pretty
smooth operation and if applied with due care and attention it is not
at all difficult to get the system successfully updated nor is it
hard to avoid foot-shooting while doing so.



[*] Where there is significant change of a vulnerability from the base
system affecting 3rd party software from the ports or wherever, that
should be discussed in the security advisories that come out, as well
as what measures are necessary to provide a fix.

Dr Matthew J Seaman MA, D.Phil.                       7 Priory Courtyard
                                                      Flat 3
PGP:         Ramsgate
                                                      Kent, CT11 9PW

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to