Re: Keeping my system up to date with CTM or subversion?
On Wednesday 22 May 2013 21:23:39 Ed Flecko wrote: When security vulnerabilities are discovered and patches released by FBSD, the patch will tell you what steps you need to take to apply the patch and stay up to date, won't it? Yes, if you subscribe to the FreeBSD Security Notifications mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications you'll get email notifications when security parches are available. These give details of the background and impact of the vulnerability along with instructions of how to obtain and apply the patches. -- Mike Clarke ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Keeping my system up to date with CTM or subversion?
I'm confused about an effective way to keep my system patched and up-to-date, and I'm hoping someone can clarify what seems like a lot of options. I'll be running a production server (so security and stability are most important) with a custom kernel and I want it to have all of the latest security patches applied. I'll install from DVD and I'll chose the option to install both the ports and the source. After this, it sure seems like the best way, in terms of speed to download any updated files, is to use CTM as a cron job, but I think the FBSD handbook recommends subversion? Also, I think I read that CTM won't update documentation? Is that right? I also see some people say they use portsnap, portaudit and portupgrade. For example, I came across this command: portsnap fetch /usr/sbin/portsnap update /usr/local/sbin/portaudit -F /usr/local/sbin/portupgrade –aR however these utilities are used more for keeping your ports collection up-to-date (if you install software from ports), and not so much for keeping your system patched from a security perspective - isn't that right? Hopefully, someone can clarify my confusion. Thank you! Ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Keeping my system up to date with CTM or subversion?
On Wed, May 22, 2013 at 8:26 PM, Ed Flecko edfle...@gmail.com wrote: I'm confused about an effective way to keep my system patched and up-to-date, and I'm hoping someone can clarify what seems like a lot of options. I'll be running a production server (so security and stability are most important) with a custom kernel and I want it to have all of the latest security patches applied. I'll install from DVD and I'll chose the option to install both the ports and the source. After this, it sure seems like the best way, in terms of speed to download any updated files, is to use CTM as a cron job, but I think the FBSD handbook recommends subversion? Also, I think I read that CTM won't update documentation? Is that right? I also see some people say they use portsnap, portaudit and portupgrade. For example, I came across this command: portsnap fetch /usr/sbin/portsnap update /usr/local/sbin/portaudit -F /usr/local/sbin/portupgrade –aR however these utilities are used more for keeping your ports collection up-to-date (if you install software from ports), and not so much for keeping your system patched from a security perspective - isn't that right? Hopefully, someone can clarify my confusion. Thank you! Ed Hi Ed, To update my ports tree, I use portsnap tool. To install ports (or upgrade them) I use portmaster. More information here: http://www.freebsd.org/doc/en/books/handbook/ports-using.html To update my sources tree, I use subversion tool. Then I rebuild world. More information here: http://www.freebsd.org/doc/en/books/handbook/svn.html http://www.freebsd.org/doc/en/books/handbook/makeworld.html I use subversion to update my sources tree because I am running 9-STABLE. If you are running 9.x-RELEASE (or 8.x-RELEASE) you can use freebsd-update to sync sources and install binary patchs. As you are using custom kernel, you will have to recompile it. More information here: http://www.freebsd.org/doc/en/books/handbook/updating-upgrading-freebsdupdate.html I hope this help you. Kind regards, Alexandre ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Keeping my system up to date with CTM or subversion?
Alexandre, Yes, that helps - thank you. So once you have a system up and running, how do you monitor if and when you need to upgrade your ports tree? By the way, your ports tree is different than installed software packages, right? In other words, the only reason people even bother to upgrade their ports tree is so that IF you install a package from source - the source is current? Is that correct? When security vulnerabilities are discovered and patches released by FBSD, the patch will tell you what steps you need to take to apply the patch and stay up to date, won't it? Ed On Wed, May 22, 2013 at 1:00 PM, Alexandre axel...@ymail.com wrote: On Wed, May 22, 2013 at 8:26 PM, Ed Flecko edfle...@gmail.com wrote: I'm confused about an effective way to keep my system patched and up-to-date, and I'm hoping someone can clarify what seems like a lot of options. I'll be running a production server (so security and stability are most important) with a custom kernel and I want it to have all of the latest security patches applied. I'll install from DVD and I'll chose the option to install both the ports and the source. After this, it sure seems like the best way, in terms of speed to download any updated files, is to use CTM as a cron job, but I think the FBSD handbook recommends subversion? Also, I think I read that CTM won't update documentation? Is that right? I also see some people say they use portsnap, portaudit and portupgrade. For example, I came across this command: portsnap fetch /usr/sbin/portsnap update /usr/local/sbin/portaudit -F /usr/local/sbin/portupgrade –aR however these utilities are used more for keeping your ports collection up-to-date (if you install software from ports), and not so much for keeping your system patched from a security perspective - isn't that right? Hopefully, someone can clarify my confusion. Thank you! Ed Hi Ed, To update my ports tree, I use portsnap tool. To install ports (or upgrade them) I use portmaster. More information here: http://www.freebsd.org/doc/en/books/handbook/ports-using.html To update my sources tree, I use subversion tool. Then I rebuild world. More information here: http://www.freebsd.org/doc/en/books/handbook/svn.html http://www.freebsd.org/doc/en/books/handbook/makeworld.html I use subversion to update my sources tree because I am running 9-STABLE. If you are running 9.x-RELEASE (or 8.x-RELEASE) you can use freebsd-update to sync sources and install binary patchs. As you are using custom kernel, you will have to recompile it. More information here: http://www.freebsd.org/doc/en/books/handbook/updating-upgrading-freebsdupdate.html I hope this help you. Kind regards, Alexandre ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Keeping my system up to date with CTM or subversion?
On Wed, 22 May 2013 13:23:39 -0700, Ed Flecko wrote: So once you have a system up and running, how do you monitor if and when you need to upgrade your ports tree? This highly depends on your updating policy. There are three mainstream opinions: a) always update, regularly (e. g. once a week) b) only update if security requires it (e. g. when portaudit alerts) c) update as soon as an additional functionality is desired Of course, combined opinions are also valid. :-) For updating the ports tree, portsnap is the eaiest tool. However, if you follow opinion a) and update _very_ regularly (e. g. daily), you could use SVN to obtain the (smaller) deltas to your local tree. This also helps because you can directly access the tree and don't have to wait until a snapshot is made available. For higher update frequencies, this is often the better approach. There is another valid opinion: Install once, make sure everything works, never touch a running system. I'm a big fan of this attitude, at least on my home systems. ;-) By the way, your ports tree is different than installed software packages, right? That is possible when you update your ports tree (by whatever method) _after_ you have installed something. A typical conclusion is that you might need to rebuild stuff as soon as you install something with that (newer) tree. Example: Tree is at version 12345, you install foo-1.0 which depends on bar-1.5. Two weeks later, you update your ports tree and get version 23456. You don't want to touch foo and bar, but you now need to install baz which requires bar-1.6 (which has now arrived in the tree). So now you need to update bar from 1.5 to 1.6, and _maybe_ also foo to a newer version (whatever that might be). In other words, the only reason people even bother to upgrade their ports tree is so that IF you install a package from source - the source is current? Is that correct? Maybe the wording is a bit strange, but yes, updating the ports tree means to have the lastest and _consistent_ versions of all the programs in the tree (so their interconnections will work properly). This is also helpful when you install from different sources, e. g. some stuff from source, some stuff as binary packages from Latest/. When security vulnerabilities are discovered and patches released by FBSD, the patch will tell you what steps you need to take to apply the patch and stay up to date, won't it? The OS patches are announced that way. You should always read the UPDATING files in /usr/src (for the OS) and /usr/ports (for installed applications) to make sure you're not missing a simple (but important) step during upgrades. Patches for the OS are of course handled independently from those applying to applications from the ports collection. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Keeping my system up to date with CTM or subversion?
On Wed, 22 May 2013 13:23:39 -0700, Ed Flecko wrote: Alexandre, Yes, that helps - thank you. So once you have a system up and running, how do you monitor if and when you need to upgrade your ports tree? By the way, your ports tree is different than installed software packages, right? In other words, the only reason people even bother to upgrade their ports tree is so that IF you install a package from source - the source is current? Is that correct? When security vulnerabilities are discovered and patches released by FBSD, the patch will tell you what steps you need to take to apply the patch and stay up to date, won't it? Why are you asking these questions about a *production* server? Run for a while with a test server until you have ironed out any issues. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
