pkgsrc packaging of base?

Erik P. Skaalerud erik at pentadon.com
Fri Feb 10 06:06:49 PST 2006


Oliver Fromme wrote:
 > It makes it work well right up until gzip or some other program ends
 > up with a security hole, and then you have to either manually patch it
Which is usually very easy.

 > (having no way to verify later if it was patched other than 'md5')

The patches should increase the RCS/CVS ID, so you can use
ident(1) on the binary.
 > or upgrade the entire OS to -STABLE.

Which is usually quite easy, too.

There's a third possibility:  Download a patched binary.
Same effect as manually patching and compiling it, but
some people might prefer not to do that themselves.
 > Without packaging up the base system, updating a small amount of
 > servers (100 or so) becomes a very difficult task
Uhm, I've done that in the past (FreeBSD).  It's not
difficult at all, provided that the server farm has
been designed and set up in a reasonable way (with
updating in mind, right from the beginning).
Oliver, You have to put yourself in the new user's shoes. It's not easy 
at all to manually patch sourcecode and rebuild the appropriate binaries 
and libraries.

I am one of those who like the idea of being able to have a system 
running without the sourcecode on the disk. Binary update's of the 
kernel and userland (like debian does with apt) is a very nice feature, 
even for me (I know how to patch and build manually).

- Erik





More information about the Kernel mailing list