Duane Winner wrote:

I've installed 4.9-RELEASE from the .ISO image.
I just want to be certain that I have all security patches now and in
the future.

If I have "*default release=cvs tag=RELEASE_4_9" in my cvsup file, will
I get all the updates I need to be secure?

No - you'll keep updating your source to 4.9-RELEASE which, while fun, isn't ultimately productive because that's the source you've already got. ;)

What you want is something like "tag=RELENG_4_9" which will keep you up-to-date with the latest security and critcal fixes for 4.9-RELEASE or "tag=RELENG_4" which is the -stable development branch and will include not just fixes but also new features and changes as the -stable branch works its way towards the next 4.x release.

Tags that you can put in your supfile are listed on http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvs-tags.html and don't forget to read the other sections of the manual about what it means to track one of the development branches.

How do I know when to build a new kernel? How will I know when there is
a security patch for the kernel?
If I cronjob cvsup and rebuild the kernel once a week, will I be up to
How do I know if my running kernel is up-to-date?

No - because there might be updates to software outside of the kernel. For example if a security problem is found in sendmail (perish the thought!) or OpenSSH then recompiling your kernel is not going to get them updated.

If a security problem is fixed in the kernel then you need to re-compile and re-install the kernel. Otherwise you just need to re-compile the relevent part of the system. Or if you can't be sure what has been touched by a particular update, go for a full "make buildworld/installworld" combo as usual.

The other key thing here is the -security-notifications list http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications which will tell you when security problems have been found that effect your system. Then you know when to update your source and/or kernel and/or world.

Hope that clarifies things a bit!


[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to