?Hi, Last years all Security Advisories regarding base system in the "update your vulnerable system via a source code patch " section recommends to rebuild a whole world instead of an affected part of a base system. This is in a most cases an overhead. For example 9 years old SA-11:04 [1] offers: b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/usr.bin/compress # make obj && make depend && make && make install # cd /usr/src/usr.bin/gzip # make obj && make depend && make && make install What is a reason we stop to do it? I understand that the preferred way now is a binary upgrade. Thank you. [1] https://www.freebsd.org/security/advisories/FreeBSD-SA-11:04.compress.asc
11.08.2020 14:21, Oleksandr Kryvulia wrote:> > Hi, > Last years all Security Advisories regarding base system in the "update your vulnerable system via a source code patch " section recommends to rebuild a whole world instead of an affected part of a base system. This is in a most cases an overhead. > > For example 9 years old SA-11:04 [1] offers: > > b) Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > # cd /usr/src/usr.bin/compress > # make obj && make depend && make && make install > # cd /usr/src/usr.bin/gzip > # make obj && make depend && make && make install > > What is a reason we stop to do it? I understand that the preferred way now is a binary upgrade. > Thank you.Also binary upgrade is not an option for STABLE users.
Hi, On Tue, Aug 11, 2020 at 10:21:07AM +0300, Oleksandr Kryvulia wrote:> > ?Hi, >Last years all Security Advisories regarding base system in the "update >your vulnerable system via a source code patch " section recommends to >rebuild a whole world instead of an affected part of a base system. This >is in a most cases an overhead. > >For example 9 years old SA-11:04 [1] offers: > >b) Execute the following commands as root: > ># cd /usr/src ># patch < /path/to/patch ># cd /usr/src/usr.bin/compress ># make obj && make depend && make && make install ># cd /usr/src/usr.bin/gzip ># make obj && make depend && make && make install > >What is a reason we stop to do it? I understand that the preferred way >now is a binary upgrade.+1 I've been wondering this as well. What is the reason for it? -- J. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20200903/9c7f7c81/attachment.sig>