Re: pkgsrc packaging of base?

[Oliver Fromme <check+iuf8dh00rsua2fvx@xxxxxxxxxx>]

David Kirchner <dpk@xxxxxxx> wrote:
 > Paul Allen <pallen@xxxxxxxxxxxxxxxxxxxxxx> wrote:
 > > The defining feature of the base system in FreeBSD is a set
 > > of libraries whose versioning is considered as a set and where
 > > library number bumps are carefully planned with respect to
 > > changes.  Thus ensuring that it is relatively easy to run old
 > > binaries on new systems, and ensuring that you are usually
 > > free of upgrade hell--within the scope of the basesystem.
 > > (at least that is the goal....)
 > >
 > > Furthmore these library changes are carefully matched to
 > > changes in the sysctl's, ioctls, and syscalls.
 > >
 > > This is a golden bit of work that makes FreeBSD work well
 > > (and that Dragonfly has inherited).
 > 
 > It makes it work well right up until gzip or some other program ends
 > up with a security hole, and then you have to either manually patch it

Which is usually very easy.

 > (having no way to verify later if it was patched other than 'md5')

The patches should increase the RCS/CVS ID, so you can use
ident(1) on the binary.

 > or upgrade the entire OS to -STABLE.

Which is usually quite easy, too.

There's a third possibility:  Download a patched binary.
Same effect as manually patching and compiling it, but
some people might prefer not to do that themselves.

 > Without packaging up the base system, updating a small amount of
 > servers (100 or so) becomes a very difficult task

Uhm, I've done that in the past (FreeBSD).  It's not
difficult at all, provided that the server farm has
been designed and set up in a reasonable way (with
updating in mind, right from the beginning).

Best regards
   Oliver

-- 
Oliver Fromme,  secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd

Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.