I'm the same way - I do not look forward to spending an afternoon
upgrading a box, and then manually hacking through the config files
checking for changes. After 30 minutes of this mind-numbing minutae, I
usually start making mistakes which leads to more time consumed.
Anyway - most upgrades are not so bad, but I've found if I get more than
2 releases behind a fresh install is usually the best medicine.
openbsd is secure by default.... so getting behind on it is not
so bad... if you are using default install, what is really dangreous is
anything we do to our boxes after the default install....
PORTS for example.. have you looked at the right block on undeadly.org
occassionally, they list recent vulnerablities from the website
http://www.vuxml.org/openbsd/
For example, if you used the port for the antivirus, clamav, and have not
upgraded to stable recently or to 3.8, read this quote:
"During analysis ClamAV Antivirus Library is vulnerable to buffer
overflows allowing attackers complete control of the system"
Similar goes for ports of other things like mysql:
"a temporary file vulnerability in the mysqlaccess script of MySQL that
could allow an unprivileged user to let root overwrite arbitrary files via
a symlink attack"
Yes, if you used the default install, and its in the last year or so it's
secure, but in a real world many admins make holes, and use ports and
don't check or upgrade the ports adequately. So the concept of
migrating data every 6 months or at least every year to a fresh install is
a very good... That way even if a rootkit left a cronjob, it likely is
gone with install not upgrade on new file systems....
ok, yes this thread is diverging.
