Re: ports security branch



On Tuesday 20 December 2005 11:18, rihad wrote:
> Yann Golanski wrote:
> > Quoth rihad on Tue, Dec 20, 2005 at 10:25:59 +0400
> >
> >>Is there a security branch for the FreeBSD ports collection? Let's say,
> >>I installed FreeBSD 6.0 together with all needed -RELEASE ports/packages
> >>(i.e., those on the CD). Running security/portaudit after a while
> >>reveals that some of the installed packages have vulnerabilities. Am I
> >>on my own to go grab the fresh ports tree, and upgrade the affected
> >>software, suffering all the intricacies of the move by myself? Debian
> >>GNU/Linux has its security package updates, OpenBSD has a separately
> >>maintained "errata" ports branch (it's very likely you still get to
> >>download a newer release of the software, though).
> >
> > Attached is a script I use to update my machines. It works fine but
> > you need to understand what it does and not run it blindly. DO NOT put
> > that in cron, there lies pain!
> >
> > Otherwise, just run the script and it will update all your ports for
> > you. It'll even mail you with the updated ports.
>
> [script snipped]
>
> A very interesting script for its own purpose, but I'm afraid this
> doesn't answer my question at all.

FreeBSD accepts limited responsibility for what is in /usr/ports. Maintaining
security is not one of them.

> Perhaps seeing the way that e.g.
> Debian deals with the upgrade problem might shed some light on the
> issue. Hell, FreeBSD does exactly that for the base world+kernel, too!
> Not for the ports, though.

See above. Instead of focusing on the method, focus on the end-goal: you want
security updates on your ports and the script posted attempts to provide
that.
I had one that was safe to run in cron (in fact it ran in periodic/daily), but
uses a cvs tree of ports, not cvsup to save time[1]. I lost it with a disk
crash, but was going to recreate it anyway, might as well do it now if people
are interested.

[1] cvsup allthough faster on the entire tree cannot update a single
directory.
--
Melvyn Sopacua
freebsd.stable@xxxxxxxxxxxxxxxxxxx

FreeBSD 6.0-STABLE
Qt: 3.3.5
KDE: 3.4.3
_______________________________________________
freebsd-stable@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • FW: [Full-Disclosure] FreeBSD Security Notice FreeBSD-SN-03:01
    ... Subject: FreeBSD Security Notice FreeBSD-SN-03:01 ... Several ports in the FreeBSD Ports Collection are affected by security ... The listed vulnerabilities are not specific to FreeBSD unless ...
    (Full-Disclosure)
  • [Full-Disclosure] FreeBSD Security Notice FreeBSD-SN-03:01
    ... Several ports in the FreeBSD Ports Collection are affected by security ... All versions given refer to the FreeBSD port/package version numbers. ... Some or all of the vulnerabilities affecting Samba may also affect ...
    (Full-Disclosure)
  • RE: Re: FreeBSD Security Survey
    ... FreeBSD has proven ... likely would reduce security issues exponentially. ... The survey is a great idea. ... While I find ports to be the single most useful feature of the FreeBSD ...
    (FreeBSD-Security)
  • RE: Re: FreeBSD Security Survey
    ... FreeBSD has proven ... likely would reduce security issues exponentially. ... The survey is a great idea. ... While I find ports to be the single most useful feature of the FreeBSD ...
    (freebsd-stable)
  • Re: Why Are You NOT Using FreeBSD ?
    ... Since I'm heavily invested in FreeBSD ports I think I need to step back ... servers are a bit different as the tricky ports are not installed there. ... I do not share the 99% for a server which runs some thin clients. ... dialog script up and submit to the ports tree. ...
    (freebsd-stable)