Update FreeBSD /usr/src

[tommytom]

Hi Everyone,

How can I update the /usr/src for FreeBSD version 7.0 using cvs?
I have not been using cvs for a long time.

Thanks.

Tom.

[jbhappy]

csup(1) is a popular choice. see the man page and /usr/share/examples/cvsup for more information. let us know if you have further questions.

[graudeejs]

supfile:

Code:

*default host=cvsup3.lv.freebsd.org
*default base=/usr
*default prefix=/usr
*default release=cvs
*default delete use-rel-suffix compress
*default tag=.
#RELENG_7_0

#ports-all
src-all

replace default host to your local host

run cvsup /path/to/supfile

[DutchDaemon]

I use a little 'csupper' script, which uses the port sysutils/fastest_cvsup to find the fastest mirror in my vicinity:

Code:

#!/usr/local/bin/bash

server=`/usr/local/bin/fastest_cvsup -Q -c nl,de,be,uk`
day=`/bin/date +%a`

echo "
Using $server today.
"
if [ $day == "Sun" ]
then
echo "
Full source tree compare (not using csup -s)."
/usr/bin/csup -4 -h $server -l /tmp/csup.lock -z -L 2 /etc/cvsupfile
else
echo "
Fast source tree compare (using csup -s)."
/usr/bin/csup -4 -h $server -l /tmp/csup.lock -z -s -L 2 /etc/cvsupfile
fi

The cvsupfile looks like this:

Code:

*default host=cvsup6.nl.freebsd.org
*default base=/usr
*default prefix=/usr
*default release=cvs tag=RELENG_7
*default delete use-rel-suffix
*default compress
src-all

[ninjatux]

I have this section in make.conf. I also have cronjobs configured for updating ports and src. But if I have to, I can run make update in /usr/ports and or /usr/src to update either or both.

Code:

# --< updating :: BEGIN >------------------------------------------------------
SUP_UPDATE=     yes
SUPHOST=        cvsup3.us.freebsd.org
SUP=            /usr/bin/csup
SUPFILE=        /usr/share/examples/cvsup/stable-supfile
PORTSSUPFILE=   /usr/share/examples/cvsup/ports-supfile
# --< updating :: END >--------------------------------------------------------

[audio]

In a production environment would you use csup RELENG_7 or would you just apply security patches manually as they come out on the mailing list?

[graudeejs]

I would use RELENG_7_0 as it includes source security patches, but then you need to rebuild system
Or you can binary update system (don't remember what was name of script or prog, i don't use it, since i use FreeBSD at home)

[audio]

Quote:

Originally Posted by killasmurf

I would use RELENG_7_0 as it includes source security patches, but then you need to rebuild system
Or you can binary update system (don't remember what was name of script or prog, i don't use it, since i use FreeBSD at home)

So if you apply a patch manually following a security advisory you don't have to rebuild kernel/world, you just have to recompile the vulnerable software... or does it patch the vulnerable binary so you don't even have to recompile?

[TerryP]

(note this is as _I_ understand it and the accuracy of this post is not assured.)


The security advisories that come out generally fit into the format of:


What is the problem
Who does it effect
How do we deal with it


In the case of FreeBSD-SA-08:06.bind, only the relevant software needs to have patches applied to the appropriate source code on your system (bind9 stuff), then recompiled and reinstalled. freebsd-update even allows us to skip that part and just use binary diffs and what not.


There is no need to update the entire system in order to correct the security issue, unless you want to or need to rebuild world, kernel, and ports while you are at it. Which is probably a waste of time and extra work for you, if you've got to keep that thing more stable then the US deficit getting bigger.

Code:

Affects:        All supported FreeBSD versions.
Corrected:      2008-07-12 10:07:33 UTC (RELENG_6, 6.3-STABLE)
                2008-07-13 18:42:38 UTC (RELENG_6_3, 6.3-RELEASE-p3)
                2008-07-13 18:42:38 UTC (RELENG_7, 7.0-STABLE)
                2008-07-13 18:42:38 UTC (RELENG_7_0, 7.0-RELEASE-p3)

This basically means that as of YYYYY-MM-DD at HH:MM:SS Zulu time the stable branch has the patches committed in addition to what ever is already in the stable branch. And that the security branches for the releases in question have also been updated, e..g RELENG_7 => 7 stable code from 2008-07-13 18:42:38Z and later are not affected by the security issue.

Thus equaling 7 stable before the patch + the patch. While RELENG_7_0 => 7.0-Release + patches + this patch; which won't include anything from 7 stable that wasn't patched in, e.g. because of a security advisory.


It's basically, do you want the original release plus security patches or do you want the stable branch as of whenever the patch was committed. And unless you explicitly checkout that revision, when you go to update a 7 stable machine you get any commits made to that branch afterwards too, whether security or not.


Again, this is as I understand things, not to say that I'm right! lol.

[jbhappy]

Quote:

Originally Posted by TerryP

Again, this is as I understand things, not to say that I'm right! lol.

I'd say you're pretty much right. The one thing I'd add is that some patches, particularly those to OpenSSL, will require rebuilding world and kernel, even if you're running -RELEASE. Those seem pretty rare, though.

[audio]

That clears things up for me, thanks guys!