Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Keeping my system up to date with CTM or subversion?

1 view
Skip to first unread message

Ed Flecko

unread,
May 22, 2013, 2:26:47 PM5/22/13
to
I'm confused about an effective way to keep my system patched and
up-to-date, and I'm hoping someone can clarify what seems like a lot of
options.

I'll be running a production server (so security and stability are most
important) with a custom kernel and I want it to have all of the latest
security patches applied. I'll install from DVD and I'll chose the option
to install both the ports and the source.

After this, it sure seems like the best way, in terms of speed to download
any updated files, is to use CTM as a cron job, but I think the FBSD
handbook recommends subversion? Also, I think I read that CTM won't update
documentation? Is that right?

I also see some people say they use portsnap, portaudit and portupgrade.
For example, I came across this command:

portsnap fetch && /usr/sbin/portsnap update && /usr/local/sbin/portaudit -F
&& /usr/local/sbin/portupgrade –aR

however these utilities are used more for keeping your ports collection
up-to-date (if you install software from ports), and not so much for
keeping your system patched from a security perspective - isn't that right?

Hopefully, someone can clarify my confusion.

Thank you!

Ed
_______________________________________________
freebsd-...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questi...@freebsd.org"

Alexandre

unread,
May 22, 2013, 4:00:37 PM5/22/13
to
On Wed, May 22, 2013 at 8:26 PM, Ed Flecko <edfl...@gmail.com> wrote:

> I'm confused about an effective way to keep my system patched and
> up-to-date, and I'm hoping someone can clarify what seems like a lot of
> options.
>
> I'll be running a production server (so security and stability are most
> important) with a custom kernel and I want it to have all of the latest
> security patches applied. I'll install from DVD and I'll chose the option
> to install both the ports and the source.
>
> After this, it sure seems like the best way, in terms of speed to download
> any updated files, is to use CTM as a cron job, but I think the FBSD
> handbook recommends subversion? Also, I think I read that CTM won't update
> documentation? Is that right?
>
> I also see some people say they use portsnap, portaudit and portupgrade.
> For example, I came across this command:
>
> portsnap fetch && /usr/sbin/portsnap update && /usr/local/sbin/portaudit -F
> && /usr/local/sbin/portupgrade –aR
>
> however these utilities are used more for keeping your ports collection
> up-to-date (if you install software from ports), and not so much for
> keeping your system patched from a security perspective - isn't that right?
>
> Hopefully, someone can clarify my confusion.
>
> Thank you!
>
> Ed
>

Hi Ed,

To update my ports tree, I use "portsnap" tool. To install ports (or
upgrade them) I use "portmaster". More information here:
http://www.freebsd.org/doc/en/books/handbook/ports-using.html
To update my sources tree, I use "subversion" tool. Then I rebuild world.
More information here: http://www.freebsd.org/doc/en/books/handbook/svn.html
& http://www.freebsd.org/doc/en/books/handbook/makeworld.html
I use subversion to update my sources tree because I am running 9-STABLE.
If you are running 9.x-RELEASE (or 8.x-RELEASE) you can use
"freebsd-update" to sync sources and install binary patchs. As you are
using custom kernel, you will have to recompile it. More information here:
http://www.freebsd.org/doc/en/books/handbook/updating-upgrading-freebsdupdate.html

I hope this help you.

Kind regards,
Alexandre

Ed Flecko

unread,
May 22, 2013, 4:23:39 PM5/22/13
to
Alexandre,
Yes, that helps - thank you.

So once you have a system up and running, how do you monitor if and when
you need to upgrade your ports tree?

By the way, your ports tree is different than installed software packages,
right? In other words, the only reason people even bother to upgrade their
ports tree is so that IF you install a package from source - the source is
current? Is that correct?

When security vulnerabilities are discovered and patches released by FBSD,
the patch will tell you what steps you need to take to apply the patch and
stay up to date, won't it?

Ed

Polytropon

unread,
May 22, 2013, 9:10:14 PM5/22/13
to
On Wed, 22 May 2013 13:23:39 -0700, Ed Flecko wrote:
> So once you have a system up and running, how do you monitor if and when
> you need to upgrade your ports tree?

This highly depends on your "updating policy". There are three
mainstream opinions:

a) always update, regularly (e. g. once a week)

b) only update if security requires it (e. g. when portaudit alerts)

c) update as soon as an additional functionality is desired

Of course, "combined opinions" are also valid. :-)

For updating the ports tree, portsnap is the eaiest tool. However,
if you follow opinion a) and update _very_ regularly (e. g. daily),
you could use SVN to obtain the (smaller) deltas to your local tree.
This also helps because you can directly access the tree and don't
have to wait until a snapshot is made available. For "higher update
frequencies", this is often the better approach.

There is another valid opinion: Install once, make sure everything
works, never touch a running system. I'm a big fan of this attitude,
at least on my home systems. ;-)



> By the way, your ports tree is different than installed software packages,
> right?

That is possible when you update your ports tree (by whatever
method) _after_ you have installed something. A typical conclusion
is that you might need to rebuild stuff as soon as you install
something with that (newer) tree.

Example: Tree is at version 12345, you install foo-1.0 which
depends on bar-1.5. Two weeks later, you update your ports tree
and get version 23456. You don't want to touch foo and bar, but
you now need to install baz which requires bar-1.6 (which has
now arrived in the tree). So now you need to update bar from
1.5 to 1.6, and _maybe_ also foo to a newer version (whatever
that might be).



> In other words, the only reason people even bother to upgrade their
> ports tree is so that IF you install a package from source - the source is
> current? Is that correct?

Maybe the wording is a bit strange, but yes, updating the ports
tree means to have the lastest and _consistent_ versions of all
the programs in the tree (so their "interconnections" will work
properly). This is also helpful when you install from different
sources, e. g. some stuff from source, some stuff as binary
packages from Latest/.



> When security vulnerabilities are discovered and patches released by FBSD,
> the patch will tell you what steps you need to take to apply the patch and
> stay up to date, won't it?

The OS patches are announced that way. You should always read the
UPDATING files in /usr/src (for the OS) and /usr/ports (for installed
applications) to make sure you're not missing a simple (but important)
step during upgrades.

Patches for the OS are of course handled independently from those
applying to applications from the ports collection.




--
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...

Walter Hurry

unread,
May 22, 2013, 9:35:56 PM5/22/13
to
On Wed, 22 May 2013 13:23:39 -0700, Ed Flecko wrote:

> Alexandre,
> Yes, that helps - thank you.
>
> So once you have a system up and running, how do you monitor if and when
> you need to upgrade your ports tree?
>
> By the way, your ports tree is different than installed software
> packages, right? In other words, the only reason people even bother to
> upgrade their ports tree is so that IF you install a package from source
> - the source is current? Is that correct?
>
> When security vulnerabilities are discovered and patches released by
> FBSD, the patch will tell you what steps you need to take to apply the
> patch and stay up to date, won't it?
>
Why are you asking these questions about a *production* server?
Run for a while with a test server until you have ironed out any issues.

Mike Clarke

unread,
May 23, 2013, 5:16:01 AM5/23/13
to
On Wednesday 22 May 2013 21:23:39 Ed Flecko wrote:

> When security vulnerabilities are discovered and patches released by FBSD,
> the patch will tell you what steps you need to take to apply the patch and
> stay up to date, won't it?

Yes, if you subscribe to the FreeBSD Security Notifications mailing list
<http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications>
you'll get email notifications when security parches are available. These give
details of the background and impact of the vulnerability along with
instructions of how to obtain and apply the patches.

--
Mike Clarke
0 new messages