Ricardo A. Reis
2006-Apr-10 22:25 UTC
[RFC] Ideas and Questions in security updates ( portaudit, freebsd-update)
Hi all, I use FreeBSD for severals years and this Project now have a possibility the full security update (src) with freebsd-update, is really great for Release users but is break for Stable user. Ok !!! Exist a possibility for apply manual patch and compile issue, but for me problem existe in fix kernel issue in stable branch because is require a update for last stable and this result in {make buildworld,kernel,installworld) large time for correct a security issue, in large enviroment with jails and critical applications like administrative ldap e high webservers. Correct issue in large enviroment is a tormento, and result in full downtime, what the recomendation for security update in large enviroment with jail ? About Ports security issues, one idea is integrate portaudit and portupgrade or create another tool for update ports, this ideia is based in Gentoo glsa-check ( http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=14 ) Thanks for Attention and sorry for my bad english. Ricardo A. Reis UNIFESP Unix and Network Admin _______________________________________________________ Abra sua conta no Yahoo! Mail: 1GB de espa?o, alertas de e-mail no celular e anti-spam realmente eficaz. http://br.info.mail.yahoo.com/
Tom McLaughlin
2006-Apr-11 00:57 UTC
[RFC] Ideas and Questions in security updates ( portaudit, freebsd-update)
On Mon, 2006-04-10 at 16:03 -0300, Ricardo A. Reis wrote:> Hi all, > <snip> > About Ports security issues, one idea is integrate portaudit and > portupgrade or create another tool for update ports, > this ideia is based in Gentoo glsa-check > ( http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=14 > ) >I recently saw glsa-check while talking to a Gentoo dev at Linux World this past week. It's very nice but does not fit in with our tree and updating model. Gentoo supports updating individual ports while leaving other ports on the system untouched. We do not support this sort of updating model. To get security updates for the FreeBSD collection you have one of two options. Either A) follow the recommended procedure and update all ports when a security issue for one arises or B) backport patches yourself and support all potential problems yourself. Tom> > > Thanks for Attention and sorry for my bad english. > > Ricardo A. Reis > UNIFESP > Unix and Network Admin-- | tmclaugh at sdf.lonestar.org tmclaugh at FreeBSD.org | | FreeBSD http://www.FreeBSD.org | | BSD# http://www.mono-project.com/Mono:FreeBSD |