Re: Patches in FreeBSD
- Original Message - From: "Jerry McAllister" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Monday, February 26, 2007 1:23 PM Subject: Re: Patches in FreeBSD > On Mon, Feb 26, 2007 at 10:53:20AM -0800, Josh Carroll wrote: > > > >My question is: How do I respond to this? > > >I have seen the word patch used in security update messages - but > > >didn't follow that path. Is that real? Does it cover kernel > > >things essentially on the fly or is a 'time consuming' rebuild > > >still needed? > > > > 6.2 now official supports binary patches via freebsd-update(8). From > > the 6.2-RELEASE announcement > > (http://www.freebsd.org/releases/6.2R/announce.html): > > > > "freebsd-update(8) provides officially supported binary updates for > > security fixes and errata patches" > > > > So there's your response. :) > > Thank you. > I didn't realize my question is to cutting edge - so to speak. > I saw a few posts mentioning update, but didn't take the time to > follow them and didn't realize their possible relevance. > So, good news! > No, it isn't. They will just find some other excuse to try to switch you over to Linux. The patch excuse was one of the lamest. Even in the "pre binary" patch days it didn't require the entire system to be rebuilt just to patch a daemon. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Patches in FreeBSD
Josh Carroll wrote: and you can update your third party packages via binary packages (which you can get from freebsd.org or build yourself)...so it seems these two solutions would be a great fit. Right, using packages instead of ports means he can do binary updates of packages as well, without having to recompile them from ports for version updates. Josh ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" Assuming the package is available, which is not always the case. Brian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Patches in FreeBSD
On Mon, Feb 26, 2007 at 02:11:48PM -0600, Dan Nelson wrote: > In the last episode (Feb 26), Jerry said: > > I am being forced to use something besides FreeBSD - probably Susie > > or Red Hat Linux for the base of a server system. The primary reason > > given is that when security issues come along, FreeBSD has no way of > > patching the running system, but rather requires rebuilding the > > system - CVSUP, make, install, etc whereas Susie and Red Hat can be > > patched on the fly. I presume this means kernel type security stuff > > rather than concerns about third party software. > > FreeBSD can be patched on the fly just as easily as Linux. In both > cases: Kernel fixes require a reboot. Fixes to running deamons require > them to be restarted. Fixes to shared libraries require all running > programs using them to be restarted (usually simpler to just reboot). > > YAST/up2date/whatever may automatically restart daemons (I know apt-get > in Debian does), but for something like a libc update, the fact that > the file is delivered via an RPM versus a "make install" step doesn't > save you from a reboot. I rather thought that, but wasn't informed enough at the time to make an argument. This will take some diplomacy around here, but, this is helpful. Thanks, jerry > > > My question is: How do I respond to this? I have seen the word > > patch used in security update messages - but didn't follow that path. > > Is that real? Does it cover kernel things essentially on the fly or > > is a 'time consuming' rebuild still needed? > > A patch lets you fix the problem listed in the security advisory > without necessarily having to do a full buildworld. The SA-07:02.bind > advisory, for example, gives instructions on how to patch, rebuild, > install, and restart named. > > -- > Dan Nelson > [EMAIL PROTECTED] > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Patches in FreeBSD
On Mon, Feb 26, 2007 at 10:53:20AM -0800, Josh Carroll wrote: > >My question is: How do I respond to this? > >I have seen the word patch used in security update messages - but > >didn't follow that path. Is that real? Does it cover kernel > >things essentially on the fly or is a 'time consuming' rebuild > >still needed? > > 6.2 now official supports binary patches via freebsd-update(8). From > the 6.2-RELEASE announcement > (http://www.freebsd.org/releases/6.2R/announce.html): > > "freebsd-update(8) provides officially supported binary updates for > security fixes and errata patches" > > So there's your response. :) Thank you. I didn't realize my question is to cutting edge - so to speak. I saw a few posts mentioning update, but didn't take the time to follow them and didn't realize their possible relevance. So, good news! jerry > > Josh ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Patches in FreeBSD
In the last episode (Feb 26), Jerry said: > I am being forced to use something besides FreeBSD - probably Susie > or Red Hat Linux for the base of a server system. The primary reason > given is that when security issues come along, FreeBSD has no way of > patching the running system, but rather requires rebuilding the > system - CVSUP, make, install, etc whereas Susie and Red Hat can be > patched on the fly. I presume this means kernel type security stuff > rather than concerns about third party software. FreeBSD can be patched on the fly just as easily as Linux. In both cases: Kernel fixes require a reboot. Fixes to running deamons require them to be restarted. Fixes to shared libraries require all running programs using them to be restarted (usually simpler to just reboot). YAST/up2date/whatever may automatically restart daemons (I know apt-get in Debian does), but for something like a libc update, the fact that the file is delivered via an RPM versus a "make install" step doesn't save you from a reboot. > My question is: How do I respond to this? I have seen the word > patch used in security update messages - but didn't follow that path. > Is that real? Does it cover kernel things essentially on the fly or > is a 'time consuming' rebuild still needed? A patch lets you fix the problem listed in the security advisory without necessarily having to do a full buildworld. The SA-07:02.bind advisory, for example, gives instructions on how to patch, rebuild, install, and restart named. -- Dan Nelson [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Patches in FreeBSD
and you can update your third party packages via binary packages (which you can get from freebsd.org or build yourself)...so it seems these two solutions would be a great fit. Right, using packages instead of ports means he can do binary updates of packages as well, without having to recompile them from ports for version updates. Josh ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Patches in FreeBSD
On 2/26/07, Josh Carroll <[EMAIL PROTECTED]> wrote: > My question is: How do I respond to this? > I have seen the word patch used in security update messages - but > didn't follow that path. Is that real? Does it cover kernel > things essentially on the fly or is a 'time consuming' rebuild > still needed? 6.2 now official supports binary patches via freebsd-update(8). From the 6.2-RELEASE announcement (http://www.freebsd.org/releases/6.2R/announce.html): "freebsd-update(8) provides officially supported binary updates for security fixes and errata patches" So there's your response. :) and you can update your third party packages via binary packages (which you can get from freebsd.org or build yourself)...so it seems these two solutions would be a great fit. -pete -- ~~o0OO0o~~ Pete Wright www.nycbug.org NYC's *BSD User Group ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Patches in FreeBSD
My question is: How do I respond to this? I have seen the word patch used in security update messages - but didn't follow that path. Is that real? Does it cover kernel things essentially on the fly or is a 'time consuming' rebuild still needed? 6.2 now official supports binary patches via freebsd-update(8). From the 6.2-RELEASE announcement (http://www.freebsd.org/releases/6.2R/announce.html): "freebsd-update(8) provides officially supported binary updates for security fixes and errata patches" So there's your response. :) Josh ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Patches in FreeBSD
Hi All, I am being forced to use something besides FreeBSD - probably Susie or Red Hat Linux for the base of a server system. The primary reason given is that when security issues come along, FreeBSD has no way of patching the running system, but rather requires rebuilding the system - CVSUP, make, install, etc whereas Susie and Red Hat can be patched on the fly.I presume this means kernel type security stuff rather than concerns about third party software. Up to now, I have not been in a situation that doing a cvsup and builds and installs or even scratch installs of new versions wasn't just fine, so that is what I have done and have some experience with. But the powers that be here are saying that is unacceptable because it will take the system down too much for critical fixes. My question is: How do I respond to this? I have seen the word patch used in security update messages - but didn't follow that path. Is that real? Does it cover kernel things essentially on the fly or is a 'time consuming' rebuild still needed? I will look up some stuff on patches in FreeBSD, but would like to hear some perspective on this. Thanks, jerry ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"