On Sun, 20 Jul 2008, mk wrote:
> Hello list,
>
> I have several packages which are exposed to internet installed on my
> OpenBSD 4.2 server.
> Unfortunately some of them are quite old and contain security bugs so I
> would like to update them.
First step: update to 4.3-release
Second step: update to 4.3-stable
Third step: update all packages. See man pkg_add
> I was watching quite a big fight on MISC OpenBSD list recently so I know
> that updates are not released for stable version
> anymore and it is necessary to follow current and build everything from
> ports if you want updated software.
Unlike other OSes, OpenBSD keeps (obsessively) to a 6 month release
cycle. This means you will wait, on average, 90 days for an update.
The next release will be 4.4 on November 1, 2008.
Security changes (or major functional bug-fixes) to the kernel and
user-land are still made as they happen to -stable, and I think,
stable n-1. (At present, 4.2 and 4.3 are being maintained). Just
not to the ports/packages.
So it is not as bad as it might look.
There are only a few (in my opinion) reasons to update a package/port.
1) New swell features, almost always these are brainless
fluff from Linuxland like "redesigned Klingon fonts" or "Morphing
xterm backgrounds", or new support for some obscure language like
"Structured Visual Forth on Rails". Included would be new major
releases of something that hasn't needed a major release since
1985, like "ls" or "vi". Most "vanity" packages -- re-invented
wheels -- come under this heading.
2) Fixes for last year's wretched excesses: "now Klingon
letter "double tlh" prints correctly with improved kerning", i.e. stuff
that doesn't affect operation or system integrity.
3) Fixes that close security loopholes or repair bugs that
have been crashing the system or crashing major applications or
crashing the package. (also s/crashing/severely buggering up/g).
In my opinion, (1) and (2) can wait the 90 days. In case (3)
I assume there is no acceptable workaround. ("Shut down named
and buy commercial name service" is not my idea of an acceptable
work around...)
We can add (4):
4) Stuff you want badly. Maybe you have an uncle who only
speaks Klingon. Maybe your boss or client is roasting you to get
a specific spam trap up and running YESTERDAY.
(3) and (4) demand action, in other words.
> Should I switch to current? .... because it seems in current are sometimes
> big changes, is current ok for production system?
No and No.
> How do you solve this issue? Do you run current, or compile applications
> directly from source?
I personally am still at 4.2-stable. I ignore the issue. But I
don't offer outside hosts any access. Recent named cache-poisoning
issues are motivating me to install an updated name server.
I compile applications from wherever I can get them. (I write
software some times, too).
> Or is there any other possibility?
Let's look at cases (3) and (4). If you're not familiar with
programming and system administration in Unix, you're not going to
have fun updating by any method, and will remain a slave to pkg_add
and pkg_delete. Even using ports to make a package and then install
it (which is all ports is) will be scary. So let's assume you have
clue.
Get familiar with how ports works. RTFM man ports.
I'll work out a specific example later, over the next few days,
maybe. Or not.
Dave
_______________________________________________
Openbsd-newbies mailing list
[email protected]
http://mailman.theapt.org/listinfo/openbsd-newbies
