Home > FreeBSD > Keeping FreeBSD Up-to-Date: A Security Odyssey Keeping FreeBSD Up-to-Date: A Security Odyssey Submitted by TTF 2004-12-05 FreeBSD 19 Comments This article presents a multiple ways to keep the FreeBSD operating system up-to-date. It takes a FreeBSD 5.2.1 RELEASE system through a subset of security advisories to explain the different sorts of patches an administrator might apply. About The Author Eugenia Loli Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker. Follow me on Twitter @EugeniaLoli 19 Comments 2004-12-05 9:28 am What is wrong with CVSup + the world targets? 2004-12-05 12:25 pm Well, if make -j4 buildworld takes ~3 hours on a Celereon@450, you’ll learn to appreciate freebsd-update 2004-12-05 12:39 pm Just imagine how much buildworld takes on a PII-250. I recall it took about 2 days to build the 5.3_RELEASE. Oh well. But that was with -O2, maybe it increaced the compile time significantly. 2004-12-05 3:11 pm The dirty part is portupgrade and how long it takes to make new packages. I wish there was a lazy way for it 2004-12-05 3:35 pm http://taosecurity.blogspot.com/2004/11/upgrading-freebsd-packages-… The lazy way 2004-12-05 4:02 pm Actually, building world with -O2 isn’t recommended, and yes, quite a bit slower. There’s a slightly increased risk of the build failing as well (and that’s especially frustrating on a slower computer). 2004-12-05 5:53 pm I don’t know whether it was -O2 that was responsible for that, or whether it was the ULE scheduler that I turned on, despite it being marked as ‘broken’, but compared to my ‘normal’ 5.2 system installed from CD, this compiled 5.3 is just lightning fast! And it’s not your usual ‘lightning fast’, it’s actually just CRAZY fast. The boot time has dropped by 20 seconds! The overall speed improvent is about 20%, although I didn’t measure that, just judging by how KDE started to load and work. So it’s worth it. Just for the record, I’ve tried first compiling with -O3, but this has turned -finline-optimizations and this effectively screwed with the build of aic drivers and failed altogether somewhere later on… But -O2 is the highest officially supported optimization level, or so the updating manual for 5.3 says… On a side note, I wonder if running mergemaster when upgrading from 5.2 to 5.3 is really necessary. It gives me the creeps and consumes so much time, and most of the changes are really obscure to me… I wonder if it would just suffice to add a ‘proxy’ user (because that is needed to make installworld) and be done with it. Has anyone tried it? 2004-12-05 6:05 pm The author says “FreeBSD Update might seem too simple for your tastes.” aftering give these instructions… pkg_add -vr freebsd-update mkdir -p /usr/local/freebsd-update cp /usr/local/etc/freebsd-update.conf.sample /usr/local/etc/freebsd-update.conf freebsd-update fetch /usr/local/sbin/freebsd-update install freebsd-update install freebsd-update fetch And that’s for binary updates where you don’t have to spend time compiling packages. I’m sorry but apt-get, yum, and windows update never looked better. I realize there are tradeoffs, benefits, pluses &minuses etc when comparing the various *nixs, but if people are still do that much work to update their system in 2004 something is really wrong. I know its a choice and I’m not saying people shouldn’t use what they like but things like this definitely keep the BSD’s well off most geek’s radar. 2004-12-05 6:20 pm Actually, it’s not any more difficult than using windows update or Mac OS X software update: Installing freebsd-update (you only have to do these steps once): 1. pkg_add -r freebsd-update 2. cp /usr/local/etc/freebsd-update.conf.sample /usr/local/etc/freebsd-update.conf Using freebsd-update: 1. freebsd-update fetch 2. freebsd-update install 3. reboot (if the kernel has been updated), or restart updated daemons 4. run freebsd-update fetch again, because like with windows update, some updates can depend on having other updates already installed There ya go, even a kid can manage that 2004-12-05 6:23 pm @M Well I could always make a little script to do all that automatically once a week, making it easier than Windows :p 2004-12-05 6:49 pm Yes, I forgot to mention one thing, just add the line 0 3 * * * root /usr/local/sbin/freebsd-update cron to /etc/crontab, and the available updates will be automagically downloaded each night, and a mail will be sent to root (or the alias you should have set up in /etc/mail/aliases) when updates are available for installation, so you only have to run freebsd-update install in the morning… 2004-12-05 8:54 pm Thanks, that looks nice I knew about -PP but never had success with it as it was always compiling. This setenv should help 2004-12-05 10:46 pm Please tell me how to turn ULE on I know, I know, it is ‘dangerous’, but it is only for a desktop machine, and I’m willing to take the ‘risk’ (read: won’t go whining if something breaks). ULE worked perfectly on this desktop machine (without PREEMPTION of course), and the speed someone noticed (CRAZY fast – but it wasn’t necessarily the speed, it was the responsivity that was amazing for me, especially on the desktop, even during heavy loads) was under ULE. On the other hand, lately (I’m tracking STABLE) responsivity during heavy load seems to have became better with SCHED_4BSD as well. Anyway, I want ULE (seamless divx playback and general desktop experience with KDE even during compiling c++ progs) back )) 2004-12-06 10:02 am remove the warning, /usr/src/sys/kern/sched_ule.c: line 60 2004-12-06 4:09 pm M wrote: > The author says “FreeBSD Update might seem too simple for > your tastes.” aftering give these instructions… I am the author of this article. You make FreeBSD Update sound complicated. It’s not. Here are three comments: First, these commands are run once, to install the FreeBSD Update tool. This installs the package. You can also build the port. # pkg_add -vr freebsd-update This creates a directory for the update process. This will be unnecessary soon for packages and is already unnecessary when building from the port. # mkdir -p /usr/local/freebsd-update This says to use the default configuration file. This should not be automated since automation would assume you accept the author’s defaults unconditionally. # cp /usr/local/etc/freebsd-update.conf.sample /usr/local/etc/freebsd-update.conf Once those three commands are done, you never have to do them again. FreeBSD Update is installed. Second, only two commands are needed to update the OS. This retrieves updates. # freebsd-update fetch This installs updates. # freebsd-update install That’s pretty simple to me. Third, you duplicated commands in your post. That makes the process look unnecessarily complicated. Eugenia, thanks for posting this story. Sincerely, Richard Bejtlich 2004-12-06 6:33 pm I’ve been a FreeBSD user for several months now, but I have only recently heard about the option of binary upgrades and it sounds exciting! However, the article seems to mention a GENERIC kernel as a requirement for freebsd-update to work correctly, or am I wrong? If I’m not wrong, is there anything I could do to make it still work on a custom machine? I’d hate to keep a GENERIC kernel, my custom one boots so much faster. 2004-12-06 7:13 pm After reading the article, I tried it out. What happens is if something has to patch the kernel, then the binaries only work on the GENERIC kernel. If you modified it, then you need to update by source. Anything else seems to work fine. The update process will actually choose only the ones that will work. If you have a modified kernel, it will skip those that patches the kernel and tells you what patches you missed. 2004-12-06 7:55 pm @Jon Door Thanks. Will try it out soon. It is this line, right?: #error “The SCHED_ULE scheduler is broken. Please use SCHED_4BSD” 2004-12-06 8:46 pm that one worked for me. I ran a test build with it removed, unforunately on my dual p3 ULE does display instability, especially when running audio through xmms, crashes after a few minutes.