Hi, Gabriel George POPA wrote on Thu, Mar 16, 2006 at 05:26:01PM +0200:
> 4) I've heard about binpatch and I've tried to use it once > (I must apply some security/reliability patches here). > For me it's impractical to recompile the entire system You need not recompile the entire system in order to apply patches to a -release system. You only need to recompile those parts of the system actually affected by the respective patches. Each patch contains instructions which parts of the system you need to recompile in order to apply it properly. These instructions cite the "cd", "patch" and "make" commands you need to type. > (I have the power to do that, I did it a million times on FreeBSD, > but now I'm running a production system and I'm afraid that I should > spoil some settings). You need not be afraid. Compiling (official) patches on a production system will not spoil settings. Of course, if you would edit random files in /usr/src before applying the patches, you might well spoil things. So just refrain from doing that... [ concerning binpatch ] > I saw that you must edit a Makefile (it seems rather complicated). > I don't know how to edit this Usually, you need not edit the whole Makefile, but just the patch targets at the bottom. If translating the instructions in the patches into targets in the Makefile looks complicated to you, you should probably not be using binpatch. By the way, as far as i see, http://openbsdbinpatch.sourceforge.net/Makefile.sample appears to be currently up-to-date. But don't rely on that. In any case, you ought to be able to verify the correctness of the Makefile before using binpatch. > (how can I learn to modify it Er, well, the Makefile is supposed to be self-documented. For details about the implementation of the shortcuts, e.g. ${_build}, read the file bsd.binpatch.mk. Note that usually, you are *much* safer applying patches on each individual machine using the official procedure supported by the OpenBSD project - in particular in case you don't feel at ease with make(1). I know only two good reasons why you might want to use binpatch: - You have a server where you cannot compile patches due to lack of resources. If that is the cause for you, migrating to more powerful hardware might be a safer option - note that even an old PI or PII box is usually sufficient for compiling patches. - You have so many servers that compiling on all of them will take too much of your time. Clearly, anybody running a large number of servers should not feel scared by using basic tools like make(1) - or will be in for trouble sooner or later, anyway. Yours, Ingo
