Re: Update utility
Chris wrote: However, once you use a source based update method, the port will not work any longer, since your installation will consist of custom binaries that do not match the recorded checksums. I like the idea of the bin-updates. Most of the end users of FBSD really don't have a need to have custom src so this may be a very acceptable way to go. I was not necessarily thinking of local changes to the source tree, but also of some applications that can be compiled with customized options (e.g. sendmail with TSL+SASL support). Of course, I agree with you, that the majority of end users will not do this (or use one of the ports). Btw. I just had a look at the web site[1], and it seems that freebsd-update can deal with systems that were updated using the source based method. [...] I'm interested in the time it takes to do the freebsd-update, and if rebooting is needed. I haven't tried it, either. I guess that you will need to reboot as soon as the kernel is patched, otherwise shutting down and restarting the service in question should be enough. Simon -- [1] http://www.daemonology.net/freebsd-update/ pgp0.pgp Description: PGP signature
Re: Update utility
On Mar 9, 2004, at 12:57 AM, Steve Ireland wrote: Below is from a post to [EMAIL PROTECTED] It sounds like what you're looking for. I haven't tested it yet, but it my list of things to look into. I glanced over the site (http://www.roq.com/projects/quickpatch/) and it's saying that if I run that sequence of commands, then the next day I'd just have one script to run and that would patch the system for me and have everything up to date? Anyone using QuickPatch, and have some experiences to share with using it? The system I am currently using is portupgrade (update the ports tree via cvsup; portupgrade everything). Does anyone know if QuickPatch checks your current versions of software so you don't get a patch for software that's already been updated/altered? Someone else mentioned freebsd-update. I haven't looked at that yet...is it just for binary updates, or system-wide, or...? I guess what would really help (especially for newer users) is a reference or howto with definitive steps on how to do this, as in a step by step guide or script on how to keep your system up to date after a fresh install and keeping it up to date thereafter...does this exist somewhere? The documentation I've found seems fragmented between binary installs and source installs and port updates versus OS updates and...sorry, just gets confusing sometimes :-) ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Update utility
Bart Silverstrim wrote: I guess what would really help (especially for newer users) is a reference or howto with definitive steps on how to do this, as in a step by step guide or script on how to keep your system up to date after a fresh install and keeping it up to date thereafter...does this exist somewhere? The documentation I've found seems fragmented between binary installs and source installs and port updates versus OS updates and...sorry, just gets confusing sometimes :-) Amen! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Update utility
On Mar 8, 2004, at 12:15 PM, Ioannis Vranos wrote: Is there any utility in FreeBSD 4.9 to check for possible updates/bug fixes via internet? I *think* have have kind of a handle on this on the server I just installed... I usually do a cvsup to update the list of the ports tree, then use a procedure I picked out of http://www.freebsddiary.org/portupgrade.php to update applications with portupgrade. If anyone else has a method other than this, I'd love to know the procedure :-) This only updates ports. Updating FreeBSD, I don't know of anything other than if you find a security advisory, you have to have the src tree and patch that portion and recompile whatever had the vulnerability, following the advisory instructions. I'm thinking that since most daemons/applications are from ports, keeping your ports tree updated should limit most remote exploits...I would be interested in knowing of a way to check whether the installation of the OS is up to date, though. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Update utility
Bart Silverstrim wrote: On Mar 8, 2004, at 12:15 PM, Ioannis Vranos wrote: Is there any utility in FreeBSD 4.9 to check for possible updates/bug fixes via internet? I *think* have have kind of a handle on this on the server I just installed... I usually do a cvsup to update the list of the ports tree, then use a procedure I picked out of http://www.freebsddiary.org/portupgrade.php to update applications with portupgrade. If anyone else has a method other than this, I'd love to know the procedure :-) For third party applications, portupgrade should be the tool of choice... This only updates ports. Updating FreeBSD, I don't know of anything other than if you find a security advisory, you have to have the src tree and patch that portion and recompile whatever had the vulnerability, following the advisory instructions. I'm thinking that since most daemons/applications are from ports, keeping your ports tree updated should limit most remote exploits...I would be interested in knowing of a way to check whether the installation of the OS is up to date, though. This is what the so-called security branches are good for: Just CVSup your source tree, do a full buildworld cycle, and you should be fine. Valid security branches (for use in your supfile) are for example RELENG_4_9 or RELENG_5_2. If you prefer binary updates, there is a special port (security/freebsd-update), but it will only work on an unaltered installation (i.e. you did not do any buildworlds), and of course, you can run the freebsd-update port incrementally. However, once you use a source based update method, the port will not work any longer, since your installation will consist of custom binaries that do not match the recorded checksums. Simon pgp0.pgp Description: PGP signature
Re: Update Utility
On Monday, March 08, 2004 1:56:24 PM [EMAIL PROTECTED] wrote: |Date: Mon, 8 Mar 2004 12:22:09 -0500 |From: Bart Silverstrim [EMAIL PROTECTED] |Subject: Re: Update utility |To: Ioannis Vranos [EMAIL PROTECTED] |Cc: FreeBSD Questions Mailing List [EMAIL PROTECTED] |Message-ID: [EMAIL PROTECTED] |Content-Type: text/plain; charset=US-ASCII; format=flowed | | |On Mar 8, 2004, at 12:15 PM, Ioannis Vranos wrote: | | Is there any utility in FreeBSD 4.9 to check for possible updates/bug | fixes | via internet? | | |I *think* have have kind of a handle on this on the server I just |installed... | |I usually do a cvsup to update the list of the ports tree, then use a |procedure I picked out of http://www.freebsddiary.org/portupgrade.php |to update applications with portupgrade. | |If anyone else has a method other than this, I'd love to know the |procedure :-) | |This only updates ports. Updating FreeBSD, I don't know of anything |other than if you find a security advisory, you have to have the src |tree and patch that portion and recompile whatever had the |vulnerability, following the advisory instructions. I'm thinking that |since most daemons/applications are from ports, keeping your ports tree |updated should limit most remote exploits...I would be interested in |knowing of a way to check whether the installation of the OS is up to |date, though. ** Reply Separator ** Monday, March 08, 2004 3:24:31 PM I use what many might consider a rather contorted mix of programs to update my system. First, I log in as root. I could use 'sudo' but I have found that at times portupgrade does not work correctly with it. Even when I add the '-s' switch. In any case, I run them in the following order as specified. 1) cvsup 2) pkgdb -aFfuv 3) portsdb -Uu 4) portupgrade -aDDPrRvy 5) periodic weekly I am not sure if this is the absolute correct way to do things; however, so far I have not experienced any problems doing it this way. You could skip step five if your system is on 24/7 or at least when the cron job is scheduled to run. You might want to throw a 'portsclean -CDDLPP' into the mix also prior to step five. I am sure that others will have far better suggestions. Gerard Seibert [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Update utility
Bart Silverstrim wrote: On Mar 8, 2004, at 12:15 PM, Ioannis Vranos wrote: Is there any utility in FreeBSD 4.9 to check for possible updates/bug fixes via internet? I *think* have have kind of a handle on this on the server I just installed... I usually do a cvsup to update the list of the ports tree, then use a procedure I picked out of http://www.freebsddiary.org/portupgrade.php to update applications with portupgrade. If anyone else has a method other than this, I'd love to know the procedure :-) This only updates ports. Updating FreeBSD, I don't know of anything other than if you find a security advisory, you have to have the src tree and patch that portion and recompile whatever had the vulnerability, following the advisory instructions. I'm thinking that since most daemons/applications are from ports, keeping your ports tree updated should limit most remote exploits...I would be interested in knowing of a way to check whether the installation of the OS is up to date, though. Colin Percival has done something kinda new and different (and interesting.) he calls FreeBSD Update. I've not tried it, but IIRC the details are at http://www.daemonology.net/freebsd-update/ HTH, Kevin Kinsey DaleCo, S.P. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Update utility
[Please CC on replies, I don't subscribe to -questions] [EMAIL PROTECTED] wrote: I'm interested in the time it takes to do the freebsd-update, and if rebooting is needed. Can someone post experiences and approximate run times? Rebooting is necessary if there's a kernel update; it is recommended if shared libraries are modified, since that's the easiest way to make sure that you don't have any daemons which are still using the old libraries. Approximate run times... somewhere around 2-5 seconds plus download time; for a single advisory, the total time will probably be under 30 seconds, while a more significant update (say, 12 months of updates to FreeBSD 4.7, or the 5.2 - 5.2.1 update) might be as much as 5 minutes. Connection speed is remarkably insignificant here -- FreeBSD Update uses binary diffs (why doesn't anyone else do this?) to reduce update sizes by a factor of 50, to the point where most of the time is spent on HTTP/TCP round trip times. Colin Percival ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Update utility
- Original Message - From: Kevin D. Kinsey, DaleCo, S.P. [EMAIL PROTECTED] To: Bart Silverstrim [EMAIL PROTECTED] Cc: Ioannis Vranos [EMAIL PROTECTED]; FreeBSD Questions Mailing List [EMAIL PROTECTED] Sent: Monday, March 08, 2004 17:24 Subject: Re: Update utility Bart Silverstrim wrote: On Mar 8, 2004, at 12:15 PM, Ioannis Vranos wrote: Is there any utility in FreeBSD 4.9 to check for possible updates/bug fixes via internet? I *think* have have kind of a handle on this on the server I just installed... I usually do a cvsup to update the list of the ports tree, then use a procedure I picked out of http://www.freebsddiary.org/portupgrade.php to update applications with portupgrade. If anyone else has a method other than this, I'd love to know the procedure :-) This only updates ports. Updating FreeBSD, I don't know of anything other than if you find a security advisory, you have to have the src tree and patch that portion and recompile whatever had the vulnerability, following the advisory instructions. I'm thinking that since most daemons/applications are from ports, keeping your ports tree updated should limit most remote exploits...I would be interested in knowing of a way to check whether the installation of the OS is up to date, though. Colin Percival has done something kinda new and different (and interesting.) he calls FreeBSD Update. I've not tried it, but IIRC the details are at http://www.daemonology.net/freebsd-update/ HTH, Kevin Kinsey DaleCo, S.P. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Hello, Below is from a post to [EMAIL PROTECTED] It sounds like what you're looking for. I haven't tested it yet, but it my list of things to look into. HTH, Steve On Thu, Mar 04, 2004 at 03:27:17PM +1100, Michael Vince wrote: Hi all I thought I would let you people know of a script that I coded that facilitates security patch updating on FreeBSD. When I wrote it I decided to called it Quickpatch for some reason even though because its source based its not necessarily the least bit quick at all :) I had kept it for my self for a while but I was recently provoked to release it as it could do greater good being out there on the net, because its in Perl its quite hackable for custom needs. http://www.roq.com/projects/quickpatch/ It has the ability to do a range of different update tasks. These features include the ability to easily verify (using PGP) any and all advisories, easy setup and use of CVSUP for source and ports tree updates. Ability to extract all the useful data out of the official FreeBSD security advisories, such as necessary patch commands, security advisory topic, exact hours since the patch was made/released, then can create ready to run patch files or display/email a full report of that information. Also, it can optionally apply the patch files with no attendance. Because its highly cronable you can schedule in a 'patch mode' kernel recompile and reboot at early morning hours to minimize down time inconvenience to others. Michael, that's terrific! We've contemplated switching to a machine-readable format for advisories time and again. Now that there is a tool that could make use of that, I'm going to investigate switching again. Cheers, -- Jacques Vidrine / [EMAIL PROTECTED] / [EMAIL PROTECTED] / [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
