pkgsrc packaging of base?

Oliver Fromme check+iuf8dh00rsua2fvx at fromme.com
Thu Feb 9 05:38:22 PST 2006


David Kirchner <dpk at xxxxxxx> wrote:
 > Paul Allen <pallen at xxxxxxxxxxxxxxxxxxxxxx> wrote:
 > > The defining feature of the base system in FreeBSD is a set
 > > of libraries whose versioning is considered as a set and where
 > > library number bumps are carefully planned with respect to
 > > changes.  Thus ensuring that it is relatively easy to run old
 > > binaries on new systems, and ensuring that you are usually
 > > free of upgrade hell--within the scope of the basesystem.
 > > (at least that is the goal....)
 > >
 > > Furthmore these library changes are carefully matched to
 > > changes in the sysctl's, ioctls, and syscalls.
 > >
 > > This is a golden bit of work that makes FreeBSD work well
 > > (and that Dragonfly has inherited).
 > 
 > It makes it work well right up until gzip or some other program ends
 > up with a security hole, and then you have to either manually patch it

Which is usually very easy.

 > (having no way to verify later if it was patched other than 'md5')

The patches should increase the RCS/CVS ID, so you can use
ident(1) on the binary.

 > or upgrade the entire OS to -STABLE.

Which is usually quite easy, too.

There's a third possibility:  Download a patched binary.
Same effect as manually patching and compiling it, but
some people might prefer not to do that themselves.

 > Without packaging up the base system, updating a small amount of
 > servers (100 or so) becomes a very difficult task

Uhm, I've done that in the past (FreeBSD).  It's not
difficult at all, provided that the server farm has
been designed and set up in a reasonable way (with
updating in mind, right from the beginning).

Best regards
   Oliver

-- 
Oliver Fromme,  secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd

Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.





More information about the Kernel mailing list