It is best practice to maintain OpenBSD between releases. The OpenBSD Project presents the admin with two choices: track errata patches published on the Project website, or use -stable, sometimes called the "patch branch".
Key differences:
- Not all patches may be published on the web. At this writing, there is a single security patch for libssl published, as it affects most users, but there is another patch for systrace(1), available only with -stable as the patch applies to a smaller audience.
- There are -stable patches to the ports tree, usually to apply third party security fixes. At this time these ports are not built into packages and distributed; there are insufficient Project resources to do this for all architectures.
Considerations:
- Patch builds are faster than complete builds of kernel and userland, cvs(1) or other CVS clients are not used so there is no network bandwidth or time consumed to transit the source trees (/usr/src, /usr/xenocara) to apply patches.
- A -stable release can be created in order to install the patches to multiple platforms. Simply put, the release you build is applied as a binary upgrade via the bsd.rd RAMDISK kernel and its standard upgrade script.
- The -stable ports tree can be used to create and then install any applicable -stable patches.
FAQ
Q: How can I tell what -stable ports are in the tree?
A: At least two ways: 1) You could peruse the CVS logs -- those patches worked up for 5.1-stable will make mention of the OPENBSD_5_1 tag. The src and ports CVS logs are published to Project mailing lists and and can be found in the various mailing list archives. The CVS logs are also directly available if you have a local CVS repository, but a local repository is not required to maintain the OS and is unnecessary for most users. 2) You could start with a -release ports tree and then checkout -stable, reviewing the console output produced by cvs(1), which will list all changes applied. The script(1) or tee(1) tools may be helpful to log output.
Q: Do I need to have deep knowledge of CVS to use -stable?
A: No, you just need to follow FAQ 5.3, and perhaps the release(8) man page, for guidance on cvs(1) commands and options. Before executing them, of course, you will look them up in the cvs(1) man page to learn what they do. You would never blindly type in something you found on the Internet, would you?
Q: How do I know when there has been a -stable patch committed?
A: I recommend adding cvs update commands to your daily.local or weekly.local scripts, as you see fit, per daily(8). The output is Emailed to root by default, though if you've followed afterboot(8) when you first installed you have updated /etc/mail/aliases so you get these Emails, and they don't hang out unread by root. You did this, didn't you?
Q: Uh... oops. I didn't know about afterboot(8). Wow.
A: When you first installed, there was an Email from Theo sitting in root's inbox. It had a number of good suggestions, including afterboot(8).
Q: ... Sorry, I didn't pay attention, and deleted it.
A: Since you now have the source code, because you plan to either apply patches or use -stable, you still have that letter. See /usr/src/etc/root/root.mail -- I hope it helps!