Bob wrote: > Hi: > > I recently installed FreeBSD 6.1 over the net from sources. I am keeping > things up-to-date using CVSup. > > When portaudit tells me I have a security issue; I update/re-install the > affected port. When a kernel patch comes in, I re-compile the kernel; which > now stands at FreeBSD 6.1-RELEASE-p6 #3. > > From what I can tell, buildworld re-builds the base system, something I have > yet to do. My thought is to do a buildworld only when the OS version is > updated to the next number above 6.1. I understand this happens at about 4 > month intervals. > > My question is, is there a good reason to buildworld before a version change? > I hate "fixing" something which is working perfectly, and this system has > been stellar!
You can't assume that any patch release on a security branch is solely going to be to fix things in the kernel. More often than not, the upgrade is to fix things in the userland. That means you have to recompile and re-install the affected software. Gennerally security advisories will tell you how to patch and update the specifically affected stuff. On the whole though, it always works to apply a full buildworld cycle as described in /usr/ports/UPDATING, and for certain security problems it's the only way to be sure the base system is rendered invulnerable[*]. Also it means the system version number gets bumped making it easy to identify what machines have been patched weeks or months down the line. If you haven't been rebuilding and re-installing world along with kernel as part of the update cycle, then there is a distinct possibility that you are still exposed eg. to the sendmail vulnerabilities from SA-06:17 or the ypserv problems from SA-06:15 or to various others. You will find that running the full buildworld procedure is a pretty smooth operation and if applied with due care and attention it is not at all difficult to get the system successfully updated nor is it hard to avoid foot-shooting while doing so. Cheers, Matthew [*] Where there is significant change of a vulnerability from the base system affecting 3rd party software from the ports or wherever, that should be discussed in the security advisories that come out, as well as what measures are necessary to provide a fix. -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW
Description: OpenPGP digital signature