David Kirchner <[EMAIL PROTECTED]> wrote: > Paul Allen <[EMAIL PROTECTED]> wrote: > > The defining feature of the base system in FreeBSD is a set > > of libraries whose versioning is considered as a set and where > > library number bumps are carefully planned with respect to > > changes. Thus ensuring that it is relatively easy to run old > > binaries on new systems, and ensuring that you are usually > > free of upgrade hell--within the scope of the basesystem. > > (at least that is the goal....) > > > > Furthmore these library changes are carefully matched to > > changes in the sysctl's, ioctls, and syscalls. > > > > This is a golden bit of work that makes FreeBSD work well > > (and that Dragonfly has inherited). > > It makes it work well right up until gzip or some other program ends > up with a security hole, and then you have to either manually patch it
Which is usually very easy. > (having no way to verify later if it was patched other than 'md5') The patches should increase the RCS/CVS ID, so you can use ident(1) on the binary. > or upgrade the entire OS to -STABLE. Which is usually quite easy, too. There's a third possibility: Download a patched binary. Same effect as manually patching and compiling it, but some people might prefer not to do that themselves. > Without packaging up the base system, updating a small amount of > servers (100 or so) becomes a very difficult task Uhm, I've done that in the past (FreeBSD). It's not difficult at all, provided that the server farm has been designed and set up in a reasonable way (with updating in mind, right from the beginning). Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way.
